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Preface 



Crypto'92 took place on August 16-20, 1992. It was the twelfth in the series of annual 
cryptology conferences held on the beautiful campus of the University of California, Santa 
Barbara. Once again, it was sponsored by the International Association for Cryptologic 
Research, in cooperation with the IEEE Computer Society Technical Committee on 
Security and Privacy. The conference ran smoothly, due to the diligent efforts of the gen- 
eral chair, Spyros Magliveras of the University of Nebraska. 

One of the measures of the success of this series of conferences is represented by the ever 
increasing number of papers submitted. This year, there were 135 submissions to the con- 
ference, which represents a new record. Following the practice of recent program commit- 
tees, the papers received anonymous review. The program committee accepted 38 papers 
for presentation. In addition, there were two invited presentations, one by Miles Smid on 
the Digital Signature Standard, and one by Mike Fellows on presenting the concepts of 
cryptology to elementary- age students. These proceedings contains these 40 papers plus 3 
papers that were presented at the Rump Session. I would like to thank all of the authors of 
the submitted papers and all of the speakers who presented papers. 

I would like to express my sincere appreciation to the work of the program committee: Ivan 
Damgard (Aarhus University, Denmark), Oded Goldreich (Technion, Israel), Burt Kaliski 
(RSA Data Security, USA), Joe Kilian (NEC, USA), Neal Koblitz (University of 
Washington, USA), Ueli Maurer (ETH, Switzerland), Chris Mitchell (Royal Holloway, 
UK), Kazuo Ohta (NTT, Japan), Steven Rudich (Carnegie Mellon, USA), and Yacov 
Yacobi (Bellcore, USA). I would also like to thank Joan Boyar for agreeing to chair one of 
the sessions. 



Ernest Brickell 
Albuquerque, NM 
August, 1993 
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Provably Unforgeable Signatures 

Jurjen N.E. Bos* 
David Chaumt 

Abstract. Very strong definitions of security for signature schemes have been pro- 
posed in the literature. Constructions for such schemes have been proposed, but so far 
they have only been of theoretical interest and have been considered far too inefficient 
for practical use. 

Here we present a new scheme that satisfies these strongest definitions and uses essen- 
tially the same amount of computation and memory as the widely applied RSA 
scheme. The scheme is based on the well known RSA assumption. 
Our signatures can be thought of as products resulting from a two-dimensional 
Lamport scheme, where one dimension consists of a list of public constants, and the 
other is the sequence of odd primes. 

Introduction 

One of the greatest achievements of modern cryptography is the digital signature. A 
digital signature on a message is a special encryption of the message that can easily be 
verified by third parlies. Signatures cannot be denied by the signer nor falsified by 
other parties. 

This article introduces a new signature scheme that combines the strength of the 
strongest schemes with the efficiency of RSA. 

Signing a message of 245 bits in our scheme is possible in roughly 910 multiplica- 
tions, and verifying it costs about 152 multiplications. In comparison, RSA, using the 
ISO/IEC standard 9796 redundancy scheme, takes roughly 768 multiplications (or 610 
using addition chains) for signing, and 3 (or optionally 17) for verification. RSA sig- 
natures are 512 bits long, while ours requires an additional message counter. Thus, 16 
extra bits give a scheme that allows 65,536 signatures per public key. 

A variation involving pre-computation, signs short messages (64 bits) in 33 multi- 
plications (not counting precomputation) and verifies in 35 multiplications. 

After the introduction, we discuss other signature schemes relevant to this work. 
We discuss the Lamport signature scheme, on which this signature scheme is based, in 
detail. Then, the new scheme is explained, and the possible choices for parameter val- 
ues are shown. 

* This article is adapted from the dissertation "Practical Privacy" of Jurjen N.E. Bos, written while he was at CW1 (the 
Dutch nationally funded centre for Mathematics and Computer Science). He is currently affiliated with Irdcto (a pay TV 
company) in Hoofddorp, Netherlands. 

t David Chaum is affiliated both with CWI and DigiCash (innovators in electronic money systems). 
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Signature scheme 

An overview of signature schemes, comparing securities, can be found in the paper 
mentioned earlier [GMR88]. We use their notation. They define a signature scheme 
as consisting of the following components: 

• A security parameter k, that defines the security of the system, and that may also 
influence performance figures such as the length of signatures, running times and 
so on. 

• A message space M, that defines on which messages the signature algorithm may 
be applied. 

• A signature bound b, that defines the maximal number of signatures that can be 
generated without reinitialization. Typically, this value depends on /fc, but it can 
be infinite. 

• A key generation algorithm G, that allows a user to generate a pair of 
corresponding public and secret keys for signing. The secret key S is used for 
generating a signature, while the public key P is used to verify the signature. 

• A signature algorithm c, that produces a signature, given the secret key and the 
message to be signed. 

• finally, a verification algorithm, that produces true or false on input of a signature 
and a public key. It ouputs true if and only if the signature is valid for the particu- 
lar public key. 

Some of these algorithms may be randomized, which means that they may use 
random numbers. Of course, G must be randomized, because different users must 
produce different signatures. The signing algorithm a is sometimes randomized, but 
this tends to produce larger signatures. The verification algorithm is usually not ran- 
domized. 

A simple example of a signature scheme is a trapdoor one-way function /. The 
function / is used for verification by comparing the function value of the signature 
with the message to be signed, and o is the trapdoor of /. The main problem with 
such a scheme is that random messages /(x) can be signed by taking a random signa- 
ture value x. A simple solution is to let M be a sparse subset of a larger space, so that 
the probability that f{x) is a valid message for random x is low. An example of a 
sparse subset is the set of "meaningful" messages. 

Related work 

The notion "digital signature" was introduced in [DH76]. This paper, which can be 
considered the foundation of modern cryptography, discusses the possibility of digital 
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signatures and the use of a trapdoor one-way function to make them. 

[RSA78] is the original article on the RSA scheme. It introduces the famous RSA 
trapdoor one-way function. This function is still widely in use and is applied fre- 
quently. A well-known weakness of RSA is that it is multiplicative: the product of 
two signatures is the signature of the product. This potential problem can be prevent- 
ed as above by choosing an appropriate sparse message space. 

Since then, an enormous number of signature schemes have been proposed 
[Rab77, MH78, Sha78, Rab79, Lie81, DLM82, GMY83, Den84, GMR84, OSS84, 
E1G85, OS85, FS86, BM88, GMR88, CA89, EGL89, EGM89, Mer89, Sch89, 
SQV89, BCDP90, Cha90, CR90, Hay90, CHP91], applied [Wil80, Cha82, G0I86, 
Bet88], and broken [Yuv79, Sha82, Tu84, BD85, EAKMM85, Roo91]. We will not 
discuss all these schemes here; we only discuss the ones that are interesting to com- 
pare with the new scheme. 

The schemes [Rab79, GMY83, GMR84, GMR88] are steps towards a provably 
secure signature scheme. The scheme described in the last article is secure in a very 
strong way: it is "existentially unforgeable under an adaptive chosen-message attack" 
with probability smaller than \/Q(k) for every polynomial Q. This means that ge- 
nerating a new signature is polynomially hard if signatures on old messages are 
known, even if the old signatures are on messages chosen by the attacker. 

The scheme in [GMR88] is based on factoring. While our scheme is based on the 
slightly stronger RSA assumption, it is much more efficient The signature scheme of 
[GMR88] uses a large amount of memory for the signer, and quite a lot of computa- 
tion. Our scheme uses no memory at all, except for a counter and the public values, 
and signing and verifying takes about as much computation as RSA does, depending 
on the parameters. 

The Lamport Scheme 

Our scheme can be thought of an optimization for both security and efficiency of 
[GMY83]. To explain the new system, we compare it to the earlier Lamport scheme 
(explained already in [DH76, page 650]). To make a signature in this scheme, the 
signer makes a secret list of 2k random numbers 

A = ai.o • <h,i » <h,o • <hi • ■ • ■ > a k.o . a *a - 
applies a one-way function/ to all elements, and publishes the result B: 

B ~\n*ii),n<h,i) /Ki) 

The signature consists of the numbers a, ^ ,ai >mi ci k mi from the list A (one 

from each "column"),where mj, m 2 m k are the bits of the message to be signed. 

The lists A and B cannot be used again. 
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The properties of Lamport's scheme are easy to verify: 

• Signing a message is only the publication of the proper elements of A. 

■ To forge a signature, one needs to find certain values from the list A. How hard 
this is, depends on the security of the one-way function /. 

• If the values A are only used for one signature, new signatures cannot be made 
from old ones. 

« Verification of a signature consists of applying the one-way function to the signa- 
ture values, and comparing them to the public values determined by the signed 
message. 

The new system uses the same idea, with three important differences, first, the list 
B is replaced by another list that can be used for all signatures. Second, the list A is 
constructed from two lists so that less memory is needed to define it. Third, the ele- 
ments of A in the signature can be combined into a single number. 

A small optimization 

There is a trivial optimization of Lamport's scheme that reduces the number of public 
function values to almost half, that we could not find in the literature. This optimiza- 
tion is independent of the signature scheme as such. Basically, the signer signs by 
publishing a ^-element subset of the 2k secret numbers. Lamport's scheme chooses 
a particular set of subsets of the set of 2k elements, as shown above. The necessary 
property of this set of subsets is that no subset includes another. 

There are other sets of subsets with the property that no subsets includes another. 
A largest set of subsets with this property is the set of all jfc-element subsets (a well- 
known result from lattice theory). For these sets, it is easy to see that no subset in- 
cludes another. 

For example, in Lamport's scheme, the list of 6 elements 
A = a 10 , a u , O2 i0 , , Oj Q , 

allows us to sign messages of 3 bits. If we renumber A as a^^a^a^A^a^ 
we get the set of 20 three-element subsets of A: 

[a u a2,ai} f {ai,a 2 ,a 4 }. [a u a 2 ,a s }, {a,,^,^}, {a,,a 3 At), 
{a u a 3 ,a 5 }, {a [t a 3 ,a 6 }, {a,,a 4 ,a 5 ), {a h ai,a 6 }, {a u a s ,a 6 }, 
(a2,tf 3 ,0 4 }, {a 2 ,<j 3 ,a 5 }, {o2,a 3 ,a 6 ), (a2.a4.a5). {^.a^l- 
[a2,a 5 ,a 6 }, {a 3 ,a 4 ,a 5 }, {a 3 ,a 4 ,a 6 ), (a 3 ,a 5 ,a 6 }. {a 4 ,a 5 ,a 6 }; 
this allows us to sign one of 20 messages, which is equivalent to more than 4 bits. 
In general, there are 

Of) orabout 7^ 

^-element subsets, so that we can sign messages of about 2£--£log 2 0bc) bits. 
The original Lamport scheme allowed messages of only k bits, so that we get almost 
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a doubling of the message size for the same size of the list B. This simple improve- 
ment can also be used in our new signature scheme. 

To encode a signature, a mapping needs to be defined between messages and these 
subsets: 

s(message) = subset. 

The simplest mapping just enumerates messages (interpreted as numbers from 0 
onwards) to sets (seen as binary strings that denote 1 for presence and 0 for absence) 
in order. Such a mapping is easily and efficiently computed by the algorithm shown in 
figure 1. The binomial coefficients do not need to be computed by repeated multipli- 
cation and division. The first binomial coefficient is always the same, so it can be pre- 
computed, and the others can be computed by one multiplication and one division by 
small numbers using the propenies: 

The algorithm outputs ones and zeros corresponding to the elements in the result- 
ing set. 

Note that the Lamport scheme uses another mapping that maps numbers onto k- 
element subsets, but that only a small number of these sets are used. 



Let n, the message, be a number in the range 0. . ^ J - 1. 

Put 2k in f and k in e. 
While t > 0: 

Puu-1 int. 

If n > Q j, put n - ^ j in n, e - 1 in e, and output a 1 (this Ms in the set). 

Else, output a 0 (this t is not in the set). 

Fig 1. Algorithm for the mapping s. 



The New Signature Scheme 

The new signature scheme replaces the list A of the Lamport scheme by a list of num- 
bers that can be organized in a matrix. Instead of using a new list B for every signa- 
ture, a fixed list called R is used for all signatures and all participants. The one-way 
function / is replaced by a set of trapdoor one-way functions, that changes per signa- 
ture. For the trapdoor one-way functions, we use the modular root function of 
[RSA781. 

The construction allows us to sign long messages using only a few numbers to 
define the set A. In the example of figure 2, the set A of 12 elements is constructed 
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from three primes p x , p 2 , Pi (used only for this signature) and four public values 
r i- r i> r 3> r 4 (t 1131 can be use< i again). This set allows us to sign messages of 9 
bits, since there are 924 > 2 9 possible 6-element subsets of A. Signing messages of 9 
bits in the original Lamport scheme takes 18 public values that can be used only once. 





















n 4h 







Fig. 2. Example list A of ihe new scheme. 



The numbers ai of A are secret encryptions of the numbers n of R, and the 
corresponding decryption exponents are public. The multiplicative property of RSA 
allows us to multiply the values of the signature to form one number. Verification of a 
signature can be done using a simple computation, without having to compute the sep- 
arate factors. 

The public values of the new system are: 

• One modulus per signer; 

t The system-wide list R. This list is used by all users, and that it does not change 
often, so that distribution does not require much traffic. The numbers in R are 
smaller than the smallest modulus used by the signers. 

• A list of sets of primes that may be used for signing. For security reasons, the sets 
may not overlap each other, and the signers may only use these sets of primes. 

A signature consists of the original message signed, the signature proper (an inte- 
ger smaller than the modulus of the signer), and a description of the prime set. 
In the language of [GMR88]: 

• The security parameter determines the size of the RSA modulus. This modulus 
can vary per user. 

• The message space M is (equivalent to) the set of subsets of A that include half the 
elements. 

• The size of the public list of sets of primes determines the signature bound b. 

• Key generation is a matter of generating an RSA modulus, and computing 
exponents for the modular root extractions. 

• Signing and verification are defined below. 
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Signing 

For the list A of a signature, the set of RS A encryptions 

A = jtyrmodn |/? g P;r e rJ 

is used, where: 

• P a set of primes from the public list; 

• R is the public list of verification values; 
i n is the RS A modulus of the signer. 

As explained above, a signature is constructed from a subset determined by s(m) 
of half these numbers. The constant k used in the algorithm that maps s is equal to 
|^*^S.J This allows us to sign a message of almost #A = #P-#R bits. The product of 
the elements of A in this subset is the signature. Since this is a single number, the sig- 
nature is much more compact than in Lamport's scheme. 

Thus, signing a message consist of the following steps: 

• Choose the set P of primes that is to be used for this signing from the public list. 
This determines A: 

A = {*/7~mod/t|i,;€ (1 #P]x{l,...#R}}. 

Like the sets A and B in Lamport's scheme, the set P can be used only once. The list 
A need not be computed. 

t Determine the message m to sign. This could be a message, or a public hash 
function value of that message, for example. 

• Compute the subset M of index pairs from (l,...,#P)x(l,...,#R) from the 
message m with the algorithm described above: 

M = s(m) 

• Compute the signature proper: 

i.;«M 

and send m, P, and S to the recipient. 

There are two ways to increase the efficiency of signing. If there is time to do a 
precomputation, the entire set A can be computed before the value of m is known. 
Although this takes quite a while, signing becomes much faster, since signing consists 
only of multiplying the proper values of A together. If precomputation is not possible, 
the computation of S can be speeded up with a vector addition chain [Bos92]. 

Verification 

Instead of trying to compute individual factors of the signature, the number S can be 
verified in a single computation. To see this, we note that the power of the signature 



8 



rip* 
s up . 

should be equal to the following product that can be computed from public values: 

T-r nPl / Pi 

The lower product can be computed with a vector addition chain. Verification of a 
signature consists of checking that these two values are the same. The verification can 
be performed with a single vector addition chain, if the inverse of the signature is 
computed first: 

. TlPk npk/Pj 

i./eM 

which must evaluate to 1 (mod n). To increase the efficiency of the verification, the 
signer could send l/S instead of S, so that the inversion is performed only once by 
the signer, and not by every verifier. 

If not all prime numbers from P occur as exponents in the set M, it is possible to 
verify a signature using slightly fewer multiplications by raising S to only the occurr- 
ing primes. Unfortunately, this optimization is only applicable in the less interesting 
cases where verification requires a lot of multiplications. 

The verifier must also check whether P occurs in the public list- If P is described 
as an index number in this list, this is of course unnecessary. 

Parameters 

In practice, the following parameter values could be used: 

• A modulus size big enough to make factorization hard (200 digits, or 668 bits). 

• R a list of 50 numbers. 

• The sets P consisting of the {5n ■+■ 1)* to the (5n + 5)* odd prime number, where 
n e (0,..., 16404} is the sequence number of the signature. This uses the primes 
of up to 20 bits. 

With these parameters, we have sets A of 250 elements, so that a message of 245 
bits (30 bytes) can be signed. A signature consists of the message, the signature pro- 
duct (668 bits, or 84 bytes), and the index number of the prime set (15 bits, or 2 bytes). 
Computing a signature takes about 1512 modular multiplications, and verification 
about 272; both these numbers are obtained using vector addition chains. 

The list of the odd primes up to 20 bits (the highest being 1048557) can easily be 
stored; it would need only 64 K bytes of storage (using a bit table of the odd numbers) 
and contain 82025 primes. Such a list can easily be stored in a ROM chip. When all 
primes are used up, the user can choose a new modulus and start again. Another solu- 
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tion is to change the list R often enough so that users do not run out of primes. To 
make it possible to verify old signatures, old values of R and the user moduli must be 
saved. 

The list R can be computed from a seed number using a public hash function. This 
way, only one seed number is needed to define R. This allows us one to use a long list 
R while using small amounts of data to distribute it. Also, less data is needed to save 
old lists. 

Figure 3 shows the performance of the algorithm for several sizes of R and P. For 
each of the entries in the table, the modulus is 668 bits (200 decimal digits), and the 
size of the primes in P is 20 bits. The entries are computed by averaging random 
number approximations. The entries marked by * have an estimated standard devia- 
tion higher than 10, so that the last digits are likely to be inaccurate. 

Powers and products were computed using addition chains and sequences; see 
[Bos92, chapter 4], The products were computed collecting the base numbers; for 
example, the product 

b{ x -b? -fep -b? b? 

would be computed as 

b?-b? +tl b?*' 2 b? 
using a vector addition chain algorithm. In the cases were a single power was to be 
computed, the "window method" of [Bos92] was applied. 

The table shows that in the general case, where verification is done more often than 
signing, it is advantageous to use a small P, possibly of only one element. The length 
of the list R is not a problem if it is generated from a seed, as suggested above. 
Another advantage of using a small set P is that the list R has to change less often. 



#R 


#P 


message 


sign 


verify 


250 


1 


245 


910 


152 


50 


5 


245 


1512 


272 


5 


50 


245 


1451 


2048* 


1 


250 


245 


796 


7123* 


500 


1 


495 


1035 


278 


50 


10 


495 


2964* 


1372* 


68 


1 


64 


819 


61 


17 


4 


64 


1317 


162 


4 


17 


64 


1301 


659* 



Fig. 3. Performance for different size of R and P. 
The influence of the modulus size and prime size on the performance is shown is 
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Figure 4. In this table, the size of R is set to 50 elements, while the sets P contain 5 
elements each. The number of multiplications for signing depends on the size of the 
modulus only, while the number of multiplications for verifying depends on the size of 
the prime numbers only. Although it saves a little time during the signing to use a 
shorter modulus, we suggest using a modulus of 668 bits, since the current technology 
already allows factoring numbers of up to 351 bits. 

The size of the primes in the sets P determines the verification time. Choosing 
smaller primes increases the speed of verification, but allows fewer signatures before a 
new List R is needed. 



modulus size 


signing 


512 


1172 


668 


1512 



prime size 


verifying 


10 


171 


20 


272 


30 


381 



Fig. 4. Performance for different sizes of modulus and primes. 



If the elements of A are precomputed, signing takes # A/2-1 multiplications. The 
precomputation takes about 796-#A multiplications, so precomputation is only effec- 
tive if there is plenty of time for doing it. 

For extremely fast verification of signatures, we choose a list R of 68 elements, 
generated from a seed number that is part of the signature, and P = (3) . For these pa- 
rameters, the message to be signed is 64 bits (8 bytes). This allows verification of a 
signature in only 35 modular multiplications, plus the time to generate the elements of 
R. Signing takes about 819 multiplications. Using precomputation, signing takes 33 
multiplications, but about 55000 multiplications for the precomputation. 



Proof of unforgeability 

We prove that the signature scheme is "existentially unforgeable under an adaptive 
chosen-message attack". This means that, under the RSA assumption, if an attacker 
can influence the signer to sign any number of messages of his liking, he cannot forge 
new signatures in polynomial time, even if the messages depend on the signatures on 
earlier messages. 

The main theorem used to prove unforgeability of the signature system is proved 
by Jan-Hendrik Evertse and Eugene van Heijst in [EH90], and is a generalization of a 
theorem by Adi Shamir [Sha83]. The theorem is about computing a product of RSA 
roots with a given modulus if a set of products of signatures is known. Under the RSA 
assumption, the theorem states that if a set of products of roots is known, the only new 
products of roots that can be constructed in polynomial ume are those that can be 
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computed using multiplication and division. 

One assumption we make is that the attacker cannot combine the signatures of 
different participants, because they have different moduli. This is still an open prob- 
lem. This assumption allows us to use the results of [EH90]. 

In our situation, we assume an attacker who knows many signature products S 
from a participant. These products can be written as products of roots of elements of 
R: 

where the numbers xi are rational numbers, The theorem of [EH90] states that if we 
interpret the x as vectors, the only new products that can be computed by the attacker 
correspond to linear combinations of these vectors. What remains to be proved is that 
linear combinations of these vectors do not give products that the attacker can use for 
new signatures. 

The denominators of the rational numbers are products of primes from the set P 
of the corresponding signature, since the x, are sums of the form ~p{ + ~p[ + "'< wnere 
Pi e P. This means that we can speak of "the set of primes in a vector", meaning both 
the set of primes that occur in the denominators of the elements, and the set P used for 
generating the signature. Every signature uses another P, and the sets P do not 
overlap, so the sets of primes in the vectors also do not overlap. A linear combination 
of vectors will contain only primes that occurred in the original vectors. From this we 
see that combining signatures with multiplication and division will not produce a 
signature with a set P that is not used before. 

For a set P that has already been used, the only linear combination of vectors that 
contains the primes of P is a multiple of the corresponding vector, because any other 
linear combination of vectors contains primes not in P . This means that other signa- 
ture products do not help compute a new signature product with a given set P. From 
the definition of the signature product, we see that a power of a product cannot be a 
signature on another message, so this method also yields no new signatures for the 
attacker. 

Note that if m is a one-way hash function of a message, signatures on other mes- 
sages can be forged if the hash function is broken. This is of course a separate prob- 
lem from the security of the signature scheme. 

From the above we conclude that an attacker cannot, under the RSA assumption, 
produce a signature product that is not already computed by the signer. This finishes 
the proof that the signature scheme is secure. 
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Conclusion 

It was already known that a signature with provable unforgeability existed under the 
factoring assumption. Our scheme, based on the modular root assumption, improves 
on the scheme in the literature on several points: signatures are smaller, while signing 
and verification use much less memory and computation. The new scheme has a large 
degree of flexibility, allowing the signing of both long and short messages by varying 
the parameters. 

References 

[BCDP90]J. F. Boyar, D. Chaum, I. B. Damgard and T. Pedersen: Convertible Undeniable 
Signatures, Advances in Cryptology: Proc. Crypto '90 (Santa Barbara, CA, August 1990), 
to be published 

[BD85] E. F. Brickell and J. M. DeLaurentis: An Attack on a Signature Scheme proposed by 
Okamoto and Shiraishi, Advances in Cryptology: Proc. Crypto '85 (Santa Barbara, CA, 
August 1985), pp. 28-31 

[Bet88] T. Beth: A fiat -Shamir -like Authentication Protocol for the ElGamal Scheme, Advances in 
Cryptology: Proc. Eurocrypi '88 (Davos, Switzerland, May 1988), pp. 77-86. 

[BM88] M. Bellare and S. Micali: How to Sign Given any Trapdoor Function, Advances in 
Cryptology: Proc. Crypto '88 (Santa Barbara, CA. August 1988). pp. 200-215. 

[Bos92] J. N. E. Bos: Practical Privacy, dissertation of the Eindhoven University of Technology, 
march 1992. 

[CA89] D. Chaum and H. van Antwerpen: Undeniable Signatures, Advances in Cryptology: Proc. 

Crypto '89 (Santa Barbara, CA, August 1989), pp. 212-216. 
[Cha82] D. Chaum: Blind Signatures for Untraceable Payments, Advances in Cryptology: Proc. 

Crypto '82 (Santa Barbara, CA, August 1982), pp. 199-203. 
[Cha90] D. Chaum: Zero-knowledge Undeniable Signatures, Advances in Cryptology: Proc. 

Eurocrypt '90 (Arhus, Denmark, May 1990), pp. 458-464. 
[CHP91] D. Chaum, E. van Heijst. and B. Pfitimann: Cryptographically Strong Undeniable 

Signatures, Unconditionally Secure for the Signer, Advances of Cryptology: Proc. Crypto 

'91 (Santa Barbara, August 1991), to be published. 
[CR90] D. Chaum and S. Roijakkers: Unconditionally Secure Digital Signatures, Advances in 

Cryptology: Proc Crypto '90 (Santa Barbara, CA, August 1990), pp. 209-217. 
[Den84] D. E. R. Denning: Digital Signatures with RSA and Other Public-Key Cryptosystems, 

Comm. ACM 27 (No. 4, April 1984), pp. 388-39Z 
[DH76] W. Diffie and M. E. Hellman: New Directions in Cryptography, IEEE Trans. Information 

Theory IT-22 (No. 6. November 1976), pp. 644-654. 
[DLM82] R. DeMJIlo, N. Lynch, and M. Merritt: Cryptographic Protocols, Proc. 14th ACM Symp. 

Theory of Computing (San Fransisco, CA, May 1982), pp. 383-400. 
[EAKMM85] 

D. Estes, L. M. Adleman, K. Komp«lla, K. McCurtey, and G. L. Miller: Breaking the 
Ong-Schnorr-Shamir Signature Scheme for Quadratic Number fields. Advances in 
Cryptology: Proc. Crypto '85 (Santa Barbara, CA, August 1985), pp. 3-13. 



13 



[EGL89] S. Even, O. Goldreich, and A. L«mpel: A Randomized Protocol for Signing Contracts, 

Advances in Cryptology: Proc. Crypto '89 (Santa Barbara, CA, August 1989), pp. 205-210. 
[EGM89] S. Even, O. Goldreich, and S. Micali: On-line/Off-line Digital Signatures, Advances in 

Cryptology: Proc. Crypto "89 (Santa Barbara, CA. August 1989), pp. 263-275 
[EH90] J-H. Evertse and E. van Heyst: Which RSA Signatures can be Computed from Some Given 

Signatures?, Advances in Cryptology: Proc. Eurocrypt '90 (Arhus, Denmark, May 1990), 

pp. 83-97. 

[EH91] J-H. Evertse and E. van Heyst: Which RSA Signatures can be Computed from Certain 
Given Signatures?, Report W 91-06, February 1991, Mathematical Institute, University of 
Leiden. 

[E1G85] T. ElGamal A Public Key Cryptosystem and a Signature Scheme Based on Discrete 

Logarithm, IEEE Trans. Information Theory IT-31 (No. 4, July 1985). pp. 469-472. 
[FS86] A. flat and A. Shamir How to Prove Yourself: Practical Solutions of Identification and 

Signature Problems, Advances in Cryptology: Proc. Crypto '86, (Santa Barbara, CA, 

August 1986), pp. 186-194. 
[GMR84] S. Goldwasser, S. Micali, and R. L. Rivest: A "Paradoxical" Solution to the Signature 

Problem, Proc. 25th IEEE Symp. Foundations of Computer Science (Singer Island, 1984), 

pp. 441^48. 

[GMR88] S. Goldwasser, S. Micali, and R. L. Rivest: A Digital Signature Scheme Secure Against 
Adaptive Chosen-Message Attacks, SIAM Journal on Computing 17 (No 2, April 1988), pp. 
281-308. 

[GMY83] S. Goldwasser, S. Micali. and A. Yao: Strong Signature Schemes, Proc. I5th ACM Symp. 

Theory of Computing (Boston, MA, April 1983), pp. 431-439. 
[C-0I86] O. Goldreich: Two Remarks Concerning the Goldwasser-Micali-Rivest Signature Scheme, 

Advances in Cryptology: Proc. Crypto '86 (Santa Barbara, CA, August 1986), pp. 104-1 10. 
[Gol86a] O. Goldreich: Two Remarks Concerning the Goldwasser-Micali-Rivest Signature Scheme, 

Report MrT/LCS/TM-315, Massachusetts Institute of Technology. 
[Hay90] B. Hayes: Anonymous One-Time Signatures and flexible Untraceable Electronic Cash, 

Advances in Cryptology: Proc. Auscrypt '90 (Sydney, Australia, January 1990), pp. 294- 

305. 

[Lie81] K. Licberherr: Uniform Complexity and Digital Signatures. Theoretical Computer Science 
16(1981), pp. 99-110. 

[Mau91] U. Maurcr: Non-interactive Public Key Cryptography, Advances in Cryptology: Proc. 

Eurocrypt '91 (Brighton, United Kingdom, April 1991), to be published. 
[Mer89] R. C. Merkle: A Certifud Digital Signature, Advances m Cryptology: Proc. Crypto '89 

(Santa Barbara, CA, August 1989). pp. 218-238. 
[MH78] R. C. Merkle and M. E. He 1 1 man: Hiding Information and Signatures in Trapdoor 

Knapsacks, IEEE Trans. Information Theory IT-24 (No. 5, September 1987), pp. 525-530. 
[Oka88] T. Okamoto: A Digital Multisignature Scheme Using Bijective Public-Key Crypto systems, 

ACM Trans. Computer Systems 6 (No. 8, November 1988), pp. 342-441 . 
[OS85] T. Okamoto and A. Shiraishi: A Fast Signature Scherrut Based on Quadratic Inequalities, 

Proc. 1985 Symp. Security and Privacy (Oakland, CA, April 1985), pp. 123-131 
[OSS84] H. Ong, C. P. Schnorr, and A. Shamir: Efficient Signature Schemes based on Polynomial 

Equations, Advances in Cryptology: Proc, Crypto '84 (Santa Barbara, August 1984), pp. 

37-46. 

[Rab77] M. O. Rabin: Digitalized Si gnatures. Foundations of Secure Computations 1977 (Atlanta, 

GA, October 1977), pp. 155-168. 
[Rab79] M. O. Rabin: Digitalized Signatures and Public-key Function as Intractable as 

Factorization, Report MIT/LCS/TR-212, Massachusetts Institute of Technology. 



14 



[Roo91] P. J. N. de Rooij: On the security of the Schnorr Scheme using Preprocessing, Ptoc. 

Eurocrypt '91 (Brighton, United Kingdom), to be published. 
[RSA78] R. L. Rivest, A. Shamir, and VL Adleman: A Method for Obtaining Digital Signatures 

and Public Key Cry ptosy stems. Comm. ACM 21 (No 2, February 1978), pp. 120-126. 
[Sch89] C. P. Schnorr: Efficient Identification and Signatures for Smart Cards, Advances in 

Cryptology: Proc. Crypto '89 (Santa Barbara, CA, August 1989), pp. 239-251. 
[Sha78] A. Shamir: A Fast Signature Scheme, Report MIT/LCS/TR-107, Massachusetts Institute of 

Technology. 

[Sha82] A. Shamir: A polynomial Time Algorithm for Breaking the Basic Merkle-Heilman 
Cryptosystem, Proc. 23rd IEEE Symp. Foundations of Computer Science (Chicago, IL, 
1982), pp. 145-151 

[Sha83] A. Shamir: On the Generation of Cryptographicaliy Strong Pseudorandom Sequences, 

ACM Trans. Computer Systems 1 (No. 1, February 1983), pp. 38-44. 
[Sha84] A. Shamir: Identity-based Cryptosystems and Signature Schemes, Advances in 

Cryptology: Proc. Crypto '84 (Santa Barbara, CA, August 1984), pp. 47-53. 
[SQV89] M. de Soete, J.-J. Quisquater, and K. Vledder: A Signature with Shared Verification 

Scheme, Advances in Cryptology: Proc. Crypto '89 (Santa Barbara, CA, August 1989), pp. 

253-26Z 

[Tu84] Y. Tulpan: Fast Cryptoanalysts of a Fast Signature System, Master's thesis in Applied 

Mathematics, Weizmarm Institute, Israel, 1984. 
[WU80] H. C. Williams, A Modification of the RSA Public-Key Encryption Procedure, IEEE Trans. 

Information Theory IT-26, (No. 6, November 1980), pp. 726-729. 
[Yuv79] G. Yuval: How to Swindle Rabin, Cryptologi* 3 (No. 3, July 1979), pp. 187-189. 



New Constructions of Fail-Stop Signatures 
and Lower Bounds 

(Extended Abstract) 
Eugene van Heijst 1 , Torben Pryds Pedersen 2 , Birgit Pfitzmann 3 

Abstract. With a fail-stop signature scheme, the supposed signer of a forged signature can prove 
to everybody else that it was a forgery. Thus the signer is secure even against computationally 
unrestricted forgers. Until recently, efficient constructions were only known for restricted cases, 
but at Eurocrypt '92, van Heijst and Pedersen presented an efficient general scheme, where the 
unforgeability is based on the discrete logarithm. 

We present a similar scheme based on factoring: Signing a message block requires 
approximately one modular exponentiation, and testing it requires a little more than two 
exponentiations. It is useful to have such alternative constructions in case one of the unproven 
assumptions is broken. 

With all fail-stop signatures so far, the size of the secret key is linear in the number of 
messages to be signed. In one sense, we prove that this cannot be avoided: The signer needs so 
many secretly chosen random bits. However, this does not imply that these bits ever have to be 
secredy stored at the same time: We present a practical construction with only logarithmic secret 
storage and a less practical one where the amount of secret storage is constant. 

We also prove rather small lower bounds for the length of public keys and signatures. All 
three lower bounds are within a small factor of what can be achieved with one of the known 
schemes. 

Finally, we prove that with unconditionally secure signatures, like those presented by Chaum 
and Roijakkers at Crypto '90, the length of a signature is at least linear in the number of 
participants who can test it. This shows that such schemes cannot be as efficient as fail-stop 
signatures. 



1 Introduction and Overview over the Results 

Ordinary and Fail-Stop Signatures 

Ordinary digital signatures, as introduced in [DH76] and formally defined in [GMR88], 
allow a person who knows a secret key to make signatures that everybody else can verify 
with a corresponding public key. Such signatures can only be computationally secure: A 
forger with unrestricted computing power can always forge signatures of other persons. 
The security of the schemes relies on the fact that a realistic forger has not enough time to 
carry out brute-force search and the assumption that there is no really efficient algorithm to 
compute forgeries. 
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With fail-stop signatures, introduced in [WP90] and formally defined in [PW90], 
unforgeability also relies on a computational assumption. If nevertheless a signature is 
forged, the alleged signer can prove that the signature is a forgery. More precisely, she can 
prove that the underlying computational assumption has been broken. This proof may fail 
with an exponentially small probability, but the ability to prove forgeries does not rely on 
any cryptographic assumption and is independent of the computing power of the forger. 
Thus a polynomially bounded signer can be protected from an all-powerful forger. 
Moreover, after the first forgery, all participants, or the system operator, know that the 
signature scheme has been broken, so that it can be stopped. This is where the name "fail- 
stop" comes from. 

For more details about possible benefits of fail-stop signatures in applications, e.g., in 
electronic payment systems, and possible advantages for the acceptability of digital 
signatures in law, see [PW91, P91]. 

Previous Constructions 

So far, there have been three significantly different results about fail-stop signatures. 

Theoretically, fail-stop signature schemes are known to exist if claw-free pairs of 
permutations (not necessarily with trap-door) exist; see [BPW91, PW91] for descriptions 
and [PW90] for a proof. In particular, this shows that fail-stop signatures exist if factoring 
large integers or computing discrete logarithms is hard. The construction uses one-time 
signatures, similar to [L79], i.e., messages are basically signed bit by bit. Therefore, 
although messages can be hashed before signing and tree-authentication is used (similar to 
[M80]), this general construction is not very efficient. 

There is an efficient variant especially suited for making clients unconditionally secure in 
on-line payment systems, see [P91]. However, in this scheme, all signatures by one client 
(with one key) must have the same recipient, like the bank in a payment system. 
Furthermore, signing is a 3-round protocol between the signer and the recipient. 

The first efficient general fail-stop signature scheme was presented in [HP92]. The 
unforgeability relies on a discrete logarithm assumption. Signatures for one message block 
are about as efficient as with RSA. Messages can be hashed before signing. In contrast to 
RSA, the signer needs some new random bits for each new signature, and tree 
authentication is needed to keep the public keys short. However, fast hash functions can be 
used without reducing the security of the signer. 

Related Types of Systems 

In [CKP92], unconditional security for the signer was achieved in undeniable signatures 
(cf, [CA90]). The construction was the first not to use bit-by-bit signing. Apart from the 
usual differences between ordinary and undeniable signatures, this scheme differs from 
efficient fail-stop signatures in two ways: First, although the signatures themselves are 
efficient, the verification protocol requires quite a lot of computation, because it needs o" 
challenges (similar to signatures) to achieve an error probability of 2~ a . Secondly, if the 
computational assumption is broken, signers can disavow signatures, but there is no way 
for the recipient to prove to a third party that this is due to cheating (whereas with fail-stop 
signatures, third parties can distinguish whether the signatures just don't pass the test, or 
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whether they are disavowed due to a proof of forgery). In particular, one cannot stop the 
scheme as soon as this happens. 

In [CR91], unconditionally secure signatures were introduced, i.e., signature-like schemes 
where both the signer and the recipient are unconditionally secure. In [PW92], a 
transferable version was presented, i.e., signatures can be passed on from one recipient to 
another, and security against active attacks on recipients was achieved; such attacks must be 
considered because the recipients, too, have secret information in such schemes. With these 
extensions, unconditionally secure signatures could in principle replace other signatures in 
many applications. So far, however, they are too inefficient to be used in practice: They 
require a complicated interactive key generation protocol in many rounds, and signatures are 
very long. Hence they cannot replace ordinary or fail-stop signatures at present. 

Overview over the New Results 

We present two new constructions of efficient fail-stop signatures (Ch. 3 and 5) and some 
general lower bounds (Ch. 4). 

The first construction has similar properties to that from [HP92], but the unforgeability is 
based on factoring instead of the discrete logarithm. Signing a message block requires about 
one modular exponentiation, testing a little more than two. Key exchange is in general more 
complicated than for the discrete logarithm scheme. Nevertheless, with all types of 
cryptographic systems it is useful to have alternative constructions, in case one of the 
unproven assumptions is broken. 

The second construction and the first lower bound deal with the fact that in all fail-stop 
signature schemes so far, the size of the secret key is linear in the number of messages to be 
signed. We show that in the sense of secret storage needed, this can be avoided, whereas in 
the sense of choosing secret random bits, it cannot. 

Constructions with small secret storage may be important since secret storage is quite 
hard to realize: One needs a more or less tamper-proof device. In contrast, information can 
quite easily be stored just securely, since one can distribute several copies. (Note that even 
ordinary digital signatures assume that a lot of information can be stored securely, since all 
signatures must usually be stored by their recipients.) In Ch. 5, we present an efficient 
construction where the size of the secret storage space is logarithmic in the number of 
messages to be signed, and an otherwise less efficient variant where this size is constant. 

For the lower bounds, we assume that the probability that a forgery cannot be proved is 
smaller than 2~ c for some security parameter a, and that the recipient wants a similar level 
of security at least against simple brute-force forging algorithms. Then the most important 
result we obtain about fail-stop signatures is: 

• If N messages are to be signed, the signer needs at least (N + l)(cr- 1) secretly chosen 
random bits. More precisely, this is a lower bound for the entropy of her secrets, given 
the public key. 

Additionally, we show two more lower bounds for fail-stop signatures. They are not much 
larger than similar bounds for ordinary digital signatures would be, since they concern 
parameters where the difference between current fail-stop signatures and ordinary digital 
signatures is already quite small. 
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* The entropy, and hence the length, of a signature is at least 2cr- 1, and the entropy of 
the public key is at least o~, even if a prekey is already given, i.e., some information 
trusted by recipients and chosen before the signer chooses her actual keys. 

Finally, we show that unconditionally secure signatures cannot be as efficient as fail-stop 
signatures: 

» The entropy (and thus the length) of each unconditionally secure signature that can be 
tested by M participants, including those that only have to settle disputes, is at least 
M'O". 

2 Brief Sketch of Definitions 

Like an ordinary digital signature scheme, a fail-stop signature scheme contains a method to 
generate secret and public keys and algorithms sign for signing messages and test for testing 
signatures. Additionally, there is an algorithm prove, which the signer uses to produce a 
proof of forgery from a forged signature, and an algorithm proof jest, which everybody 
else uses to test if something really is a proof of forgery. 

A secure fail-stop signature scheme has the following properties, where 2. is a 
consequence of the others: 

1 . If the signer signs a message correctly, then the recipient accepts the signature. 

2 . A polynomially bounded forger cannot make signatures that pass the signature test 

3. If an unrestricted forger succeeds in constructing a signature that passes the signature 
test, then with "overwhelming" probability, the signer can produce a proof of forgery 
that convinces any third party that a forgery has in fact occurred (i.e., the output of 
prove passes proof jest). 

4. A polynomially bounded signer cannot make a (false) signature that she can later prove 
to be a forgery. 

The basic idea to achieve these properties is that (exponentially) many secret keys 
correspond to each public key, and different secret keys give different signatures on the 
same message. The signer knows exactly one of these secret keys and can only construct 
one of the possible signatures on a given message. However, even an arbitrarily powerful 
forger does not have sufficient (Shannon) information to determine which of the many 
possible signatures the signer can construct on a new message. Consequently, with very 
high probability a forged signature will be different from the signature that the signer would 
have constructed. The knowledge of two different signatures on the same message then 
yields a proof of forgery. 

Since there must be security for both signers (see 3.) and recipients (see 4.), both take 
part in key generation. Usually, the recipient (or all possible recipients together, or a device 
trusted by all recipients) chooses a value called prekey, such as a number that the signer 
cannot factor, and then the signer chooses the real secret and public key based on this 
prekey. However, we prove the lower bounds for an arbitrary key generation protocol. 

There are also two security parameters: o" determines that the probability of unprovable 
forgeries is smaller than 2~ a , and k is the parameter for the cryptographic security of the 
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recipient. Usual choices of a may be between 40 and 100, whereas k, if it is the binary 
length of numbers that should be hard to factor in Ch. 3, must be larger than 500. 

Remark: Note that it is not a matter of the definition how one acts if a proof of forgery 
occurs. In particular, instead of making signers unconditionally secure by invalidating 
signatures after proofs of forgery, one could leave the responsibility with the signer. Then 
one has all the properties of an ordinary digital signature scheme, plus the possibility to stop 
after forgeries. (This shows that fail-stop signatures are a strictly stronger notion.) 

Furthermore, the current definition does not specify for how much of a system a 
particular proof of forgery is valid. As long as forging even one signature is provably as 
hard as, say, factoring, one should stop the whole scheme after any forgery, because if one 
signature has been forged, the same forger can probably forge them all. Therefore, the 
constructions usually assume that there is just one type of proof of forgery. However, it is 
no problem to make proofs of forgery specific to the keys of individual signers or even 
(although currently with some loss in efficiency) to each particular signature. ♦ 

For a complete formal definition, see [PW90]. In this abstract, we will only make those 
parts more precise that are actually needed in the proofs of the lower bounds. 

3 Efficient Fail-Stop Signatures based on Factoring 

This section presents a fail- stop signature scheme based on the assumption that it is 
infeasible to factor large integers. To emphasize the generality of the construction, the 
scheme is first described in general terms. Like in [HP92], we first present a version for 
signing just one message block. 

3.1 General Structure of the Construction 

The following construction generalizes that from [HP92], We base it on so-called bundling 
homomorphisms, i.e., functions h with the following properties: 

1 . h is a homomorphism between two Abelian groups. 

2. Given an image h{a), there exist at least 2 T possible preimages. 

3. It is infeasible to find collisions, i.e., two different values that are mapped to the same 
value by h. 

More precisely, there must be a family of such functions and groups, and a key generation 
algorithm that selects a particular function h, given T and a security parameter k. One also 
needs efficient algorithms for the group operations and to choose random elements. 

Now we define all the components of a fail-stop signature scheme (cf. Ch. 2): 

* Prekey: The recipient selects a function h from the family. Let the domain be G and the 
range H. 

* Prekey test: The recipient must prove that his choice of h was correct, or at least that his 
h is in a set of functions with Properties 1 and 2 (which are needed for the security of 
the signer). 

* Secret key: sk := (sky sk^, where ski s ^2 316 cnosei1 at random from G. 

* Public key: pk := (pk h pk 2 ), where pk t = A(jjt / ) for i* = 1,2. 
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• Signing: sign(sk, m) = ski * s ^2 m f° r messages m from a subset (to be defined) of 7L. 

• Test: test(pk, m, s) = ok :<=> pk^ • pk 2 m = h(s). 

• Proving forgeries: Given a forged signature sf on a message m*, the signer computes 
s = sign(sk, m*), and if s * sf, she uses the pair (s, sf) as a proof of forgery. 

• Testing proofs of forgery: Given two elements of G, verify that they collide under h. 
Theorem 1: Independently of the choice of h, the following holds: 

1 . Correct signatures pass the test: h(s) = h(sk x • sk2 m ) = pk\ * pk 2 m . 

2. A polynomially bounded signer cannot construct a signature and a proof that it is a 
forgery. 

3 . If sf is a forged signature on m* and sf * sign(sk, m*), then the signer obtains a valid 
proof of forgery. ♦ 

Proof: Follows easily from the definitions. □ 

This theorem shows that the general scheme is secure for the recipients, and that it is also 
secure for the signer if even an all-powerful forger cannot guess a correct signature 
s = sign(sk, m*), except with a very small probability. In order to estimate the probability 
with which a forger can guess s, first note that the public key contains no information about 
which of at least 2 2t possible secret keys the signer actually has. However, after having 
received a signature on a message m, the forger has more information about sk. Theorem 2 
gives a condition for when this information is not sufficient to construct new signatures that 
the signer cannot repudiate: 

Theorem 2: Let pk, a signature j = sign(sk, m), and a message m* * m be given, and let 
m := m* - m. Whatever value sf an all-powerful forger selects as a forged signature on 
m*, the probability that it is correct is at most 171 / 2 T , where 

T := {d e G I h(d) = 1 a d m ' = 1 } = [d I h(d) = 1 a ord(^ I m'}. 
(The probability is given by the secret keys that are still possible when pk and 5 are known.) 

♦ 

Proof: The set of possible secret keys is 

SK* := {(sk { , sk 2 ) e GxG\ h(ski) = pk { a h(sk 2 ) = pk 2 a ski ' sk 2 m = s) 
= {(s I sk 1 m ,sk 2 )\h(sk 1 )=pk 1 }, 
because of the homomorphism property; and the size of this set is 2 X . The attacker is 
successful if 

ski * s ^2 m ~ s f- 

For keys from SK*, this equation is equivalent to sk 2 m ' =sf/s. This equation may be 
unsolvable, but if there is any solution sk 2 *, then the set of all solutions in SK* is 

[(s I sk 2 m ,sk 2 )\h(sk 2 l sk 2 *) = \ a (sk 2 / sk 2 *) m ' = 1). 
Hence the number of solutions is IT I, and the attacker is successful with the claimed 
probability. □ 

Consequently, in order to estimate the probability of successful forgeries we must find the 
size of T. This size depends on the chosen family of homomorphisms. 



21 



3 . 2 The Special Case with Factoring 

Our family of bundling homomorphisms was defined in [BPW91], using ideas from 
[GMR88, G87]: A member of the family is characterized by x and a /t-bit integer n ~ pq, 
with p, q prime and p = 3 and q = 7 mod 8. We omit z and n in the following. The groups 
are 

H = ±QR/{±i},andG= TZ^xH, 

where QR denotes the group of quadratic residues modulo n, and the operation on G is 
given by 

(a, jc) - (b, y) := ((a + b) mod 2 T , x • y • 4 a + 6 ) ^ 2T ). 
Elements of H are represented by numbers between 0 and n/2; H is used instead of QR 
because membership can be tested efficiently. The unit element of G is (0,1). The 
homomorphism is given by 

h((a, x)) = ± (4 a • x 2 \ 

Theorem 3: The construction described above is a family of bundling homomorphisms. 
Properties 1 and 2 even hold for any odd n. Furthermore, if n is chosen correctly or at least 
as n - p r q s where p and q are correct and r, s odd, then for any a, z, there exists exactly one 
x so that k((a, x)) = z. ♦ 

Proof: See [BPW91]. The last sentence is only proved for correcdy chosen n there, but the 
same proof is valid for the more general form. □ 

To use these homomorphism in a fail-stop signature scheme according to Sect. 3.1, let the 
message space be {0, 2^-1 } for some p and r := p + o". As an efficient prekey test, we 
use the protocol from [GP88] and a test that n = 5 mod 8. Actually, this does not completely 
prove that n is of the correct form, but it ensures that n=p r q s where p and q are correct and 
r, s odd. 

Theorem 4: With the definitions made above, the probability of undetected forgery is at 
most 2~ cr . ♦ 

Proof: According to Th. 1 and 2, it only remains to prove in < IP. Note that in G 

(a, x) m ' = (0, 1) => m''a mod 2 T = 0 => ord(a) i m . 
Hence T c [(.a,x) e G I h((a, x)) = l a ord(a) I m'}. 

According to Th. 3, for each a, there is exacdy one x such that h((a, x)) = 1. Thus 

ITI £ !{aeZ 2T lord(a)lm'}l = gcd(2 T ,m'). (3) 

By the choice of message space, every pair of messages m*m* satisfies lm-m*l <2 P and 
therefore gcd(2 r , m-m*) <2?. □ 

As to efficiency, first note that a multiplication in G is mainly one modular multiplication, 
since the exponent of 4 is 0 or 1 , and a multiplication by 4 can be replaced by shifts and 
subtractions. We can choose any fixed message length p, long messages are hashed before 
signing. Since even the hash functions as secure as factoring from [D88] take only one 
multiplication per message bit, i.e., not more than signing or testing, one should always 
hash messages as short as possible. Thus p is determined by the size of the output of the 
hash function. In the following table of the efficiency of signing one message block, we 
assume p = k. If one trusts a faster hash function, or in applications where only short 
messages are signed, one can still gain efficiency by making p smaller. 
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sign: k multiplications 

tesr. 2k + a multiplications 

Length of pk: 2k 
Length of sk: 4k + 2a 

Signature length: 2k + a 

To sign several messages, one can use tree authentication as in [PW91, HP92], after 
[M80], Note that key exchange is more efficient in [HP92] because the choice of the prekey 
is just a choice of random numbers, and no prekey test is necessary even if there is no 
trusted device to choose the prekey. 



4 Lower Bounds 

The idea of each of our proofs will first be described informally. For the formal sketches, 
we assume the reader knows the notions of conditional entropy, H(X I Y), and mutual 
information, I(X; Y); see [S49, G68 Sect. 2.2, 2.3]. Like in [G68], we use capital letters 
for random variables and small letters for corresponding values, and abbreviate P(X = x) by 
P(x) etc. The formula we need most is the chain rule to add entropies: 

H(Y, Z ! X) = H(Y I X) + H(Z I Y, X). 
Additionally, when we know that the probability that something can be guessed correctly is 
small, and want to derive that a conditional entropy is large, we often need Jensen's 
inequality for the special case of the logarithm [F71]: If/?,- > 0 and.r, > 0 for all i, and the 
sum of the pfs is 1, then 

M £ />;• 5 £ /?; log (*,-)• 
i < 

4. 1 Secret Keys, or Rather, Secret Random Choices 

The basic reason why the signer needs a lot of secretly chosen random bits is: 

1 . Even an arbitrarily powerful forger must not be able to guess the signer's correct 
signatures. 

2 . Since this holds for each additional signature, even when some signatures are already 
known, the entropy of each new signature must be large, and therefore the overall 
entropy of the signer's secrets is large. 

However, sometimes the forger does know correct signatures on new messages. For 
instance, in schemes with message hashing, the forger knows the signatures on all 
messages with the same hash value as the original message. (Then the collision counts as a 
proof of forgery.) Hence Statement 1 does not hold absolutely. Instead, we will derive an 
average version as follows: 

1 . 1 With high probability, the signer should not obtain proofs of forgery if she applies 
prove to her correct signatures; otherwise she could cheat the recipient (The probability 
is over the choice of the keys; we will see that we can leave the messages fixed.) 

1.2 Thus, on average, even an all-powerful forger must not be able to guess those correct 
signatures. 
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In 1. 1, the recipient's security is needed. (Note that the desired theorem cannot possibly be 
proved from the signer's security alone. As a counterexample consider that the signer were 
allowed to disavow all signatures in an ordinary digital signature scheme; then she would be 
unconditionally secure without many random bits, but the recipient would not be secure at 
all.) This is a problem, since the recipient's security, like all computational cryptographic 
definitions, is only defined asymptotically. It says: For any polynomial-time algorithm A 
and any c, there exists fco so that the probability that A successfully cheats the recipient is 
smaller than k ~^ for all k > £q. Thus, in a certain sense, we can only derive lower bounds 
for k > Icq, for an unknown Icq. This may seem unsatisfactory: Nobody would have doubted 
that we need arbitrarily long keys if we make k sufficiently large. 

However, note that the real purpose of our lower bounds is to say "whenever we have 
certain requirements on the security, then we have to pay the following price in terms of 
efficiency". In this section, this is more precisely: "If the signers want the probability of 
unprovable forgery to be at most 2~ a , and the recipients want some security, too, then at 
least the following number of random bits is needed (as a function of a and the security of 
the recipients)". 

To quantify the security of the recipient, it suffices for our purpose to consider the case of 
Statement 1.1 above, i.e., we consider the probability with which the signer can prove that 
her own correct signatures are forgeries just by applying the algorithm prove to them. In 
practice, one has to require this probability to be at most, say, 2 -20 , or, more generally, 
2~°* for some cr*. We will prove the lower bounds as a function of this parameter a* (in 
addition to the a from the signer's security). To formulate the theorem precisely, we need 
some more notation and partial definitions: 

• Key exchange and probability space: Key exchange is a protocol G with inputs o~, k, 
and the number of messages to be signed, N, all in unary. The output is a pair (sk, pk) 
of a secret and a public key. For the lower bounds, we only need the case where all 
parties execute G honestly, and we always consider a fixed triple of parameters. Then 
the probabilities of sk and pk are uniquely determined, and we can define corresponding 
random variables SK and PK. 

Without loss of generality, we assume that all random bits that the signer needs are 
already in sk, so that sign is deterministic, and so are test, prove, and proof jest. Thus, 
the underlying probability space for all probabilities is that of the secret random bits used 
in the key exchange. 

• Signing: We make the lower bounds quite general by permitting the signer to use 
memory in a general way, i.e., signatures may depend on all previously signed 
messages. We even allow testing to be equally general, although this is only useful 
when there is a single recipient. 

• Probability that the signer can disavow her correct signatures: For every message 
sequence m. = (mi,..., m^+i), we define a polynomial-time algorithm A m to describe 
what a dishonest signer would do to disavow her own signatures: After executing G 
correctly, i.e., on input sk, she first signs m\, m# correctly. Then, since mjy+i is 
one message too much, she signs it as if she had not signed m N . From each of these 
signatures, together with sk and the history of preceding signatures, she tries to compute 
a proof of forgery using prove. (This algorithm should be rather useless!) 
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If the fail-stop signature scheme, N, and a are fixed, we say that k is large enough to 
provide the security level o* for the recipient against A m if the success probability of A m 
is at most 2~ <7 *. i 

The formal version of the theorem is therefore: 

Theorem 5: Let a fail-stop signature scheme with actual parameters a and N and a security 
level o* be given. Let o' := min(CT, rr*). Then for all k sufficiently large to provide the 
security level o* for the recipient against an algorithm "A^ for any sequence m. of N+ 1 
pairwise distinct messages 5 , 

U(SK)PK) > (N+l)(a'-l). ♦ 

Since m is fixed within the theorem, we can omit it in the proof. Let Sj denote the random 
variable of the signature on the z'-th message of m., and Histj that of the history of the first i 
signatures. The following lemma formalizes that on average, correct signatures cannot be 
guessed: 

Lemma 1: With the same notation as in Th. 5, for each i < N+l : 

UiS^PK^ist^) > a' - 1. ♦ 

We must omit the proof of Lemma 1 in this abstract. However, it proceeds along the 
informal description, exploiting the difference that correct signatures can usually not be 
disavowed, whereas guessed ones can, with an application of Jensen's inequality at the 
end. 

Proof of Th. 5: First we use Lemma 1 to show by induction over i that the entropy of all 
signatures together is large. Remember Hist^ = Sj). Hence, we show for all 

2</V+l: 

H^Hist^PK) > i>(G' -1). (1) 
For/ = 1, (1) is just Lemma 1. And if (1) has already been proved for M, then it holds fori 
because 

H(Histj I PK) = H(Sj I PK, Hist^) + HiHist^ I PK) 

> (<7'-l) + (/-lXcr'-l) = i'(o-'-l). 

We now use that signing is deterministic, i.e., SK uniquely determines Hist^ + \. This 
implies R{Hisi N+l I PK, SK) = 0, and therefore with the chain rule 
H(SK I PK) = R(SK, Hist N+l I PK) - H(Hist N+l I PK, SK) = H(SK, Hist N+l I PK) 

> H(Hist N+l \PK) > GV+l)(o-'-l). □ 

4.2 Signatures and Public Keys 

Signatures and public keys are not much longer in current fail-stop signature schemes than 
in ordinary signature schemes. Hence the lower bounds are very small, too. 
The basic idea about the length of a signature is: 



The formal definition of the recipient's security immediately implies the existence of £q such that all k > 
Icq have this property. We have now bypassed the problem that we do not know how large £q is because 
we just know that it must be large enough in a pracu'cal application. 

Note that we only require security against A m for one message sequence m. The contrary is that all these 
algorithms work. 
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a) First, there must be at least 2 a acceptable signatures; otherwise the correct signature 
could be guessed too easily. 

b) Secondly, it must be hard for a forger to guess signatures at all. Thus the density of the 
set of acceptable signatures within the signature space should be small, e.g., at most 
2-°*. 

Hence we expect the size of the signature space to be at least 2 04 " 0 *. Indeed, we prove more 
generally that the entropy of each signature is at least a+o*. What has to be done is: 

• Since the forger in (b) is computationally restricted, we must show that he could guess 
acceptable signatures efficiently if their density was too high. 

• As in 4.1, we must require that k is sufficiently large so that a concrete version of the 
asymptotic security against forgery holds. 

• We must express the idea with the density in information-theoretic terms. 

For this, we first define a simple algorithm T m that tries to guess signatures on a message m 
(in a rather stupid way): ? m just chooses its own key pair (sk*, pk*) and signs m with sk*. 

Theorem 6: Assume a fail-stop signature scheme with actual parameters k, a, N provides 
the security level a* against forgery by an algorithm T m . 

1 . Let S be the random variable of the signature. Then 

H(5) > G' + o* - 1. 

(If the scheme is not memory-less, we obtain the same result for later messages by using 
the last message of a message sequence m-) 

2. YL{PK)>a*. ♦ 

The following lemma formalizes the density argument. The fact that the number of possible 
signatures, given the public key, is much smaller than the complete signature space is 
generalized as follows: The public key contains a lot of information about the correct 
signature. 

Lemma 2: With the same notation as in Th. 6, 

1(5; PK)>a*. ♦ 

The proof must be omitted in this abstract. 

Proof of Th. 6: Lemma 2 means H(5) - H(5 I PK) > o*; and a special case of Lemma 1 is 
H(S I PK) > a' - 1. Consequently, H(5) > H(5 I PK) + a > a' + o* - 1. Furthermore, 
KS-PK) < H(PK). □ 

For the case with a prekey (cf. Ch. 2), we obtain the same results with an additional 
condition over K, i.e., H(5 I K) > cr' + a* - 1 and U(PK \K)> o*. If, as usual in such 
schemes, PK is a function of SK, we obtain one more result by applying the chain rule to 
the last formula and Th. 5: 

Theorem 5*: In a fail-stop signature scheme with prekey, and where the public key is a 
function of the secret key, and with the same notation as in Th. 5 and 6, 

U(SK\K) > (N+l)(a'-l) + o* > (N+2)(o-'-l). ♦ 
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4.3 Unconditionally Secure Signatures 

Unconditionally secure signature schemes could be achieved by replacing the globally 
known public key pk (which implied that an all-powerful forger could find acceptable 
signatures by brute-force search) by different test keys t x for each recipient x. So far, this 
has made key exchange complicated and signatures long. 

Essentially, we prove that such signatures must indeed be at least as long as if they 
consisted of an independent part for each test key, i.e., they cannot be shortened by a 
suitable combination. Assume M people may want to test a signature (as a recipient, or to 
settle a dispute), and that the probability for successful forgeries is to be < 2~ a . The basic 
idea is: If some participants want to forge a signature on m, they can determine the set of 
signatures acceptable under all their test keys. Still, within this set, the density of signatures 
that another participant accepts must not exceed 2~°. Inductively, this implies that the size of 
the original signature space must be at least 2 Ma . 

In Theorem 7, we generalize this to entropies, and we show that it holds for every 
signature, even if signing is not memory-less. 

Theorem 7: Consider an unconditionally secure signature scheme with M recipients where 
N messages can be signed and the probability of successful forgery is < 2~ a . For any given 
message sequence m, let denote the random variable of the signature on the i-th message 
of m, and Hist i that of the history of the first i signatures. Then 

H(Sj I //isr M ) > Ma. ♦ 

The basic idea for the proof is formalized similar to Lemma 2: Even when some test keys 
are known, any other test key still gives a lot of information about the correct signature. 

Lemma 3: With the same notation as in Th. 7: For any set X of participants and y s X, if 
T x denotes the joint random variable of the test keys of X: 

I(5 / ;7' y ir x -,//ijf / _ 1 )> a. ♦ 

Again, we must omit the proof in this abstract. 

Proof of Th. 7: Lemma 3 means H(S,- 1 T x , Hist^) > cr+H(5,- 1 T Xu{y] , Hist^). With 
induction over the size of X, one easily obtains the desired result. □ 

From Th. 7 and Lemma 3, with induction over i similar to that in Th. 5, we can also obtain 
H(SK) > (N+l)Ma a H(T y I T x ) > (N+l)a. 

5 Fail-Stop Signatures with Small Secret Storage 

To show that the signer needs far less secret storage than the number of secret bits she must 
choose according to Th. 5, we proceed in two steps: First we show a simple construction 
where only a small amount of secret storage is needed at the start, i.e., direcdy after key 
exchange. Then we add additional measures so that the amount of secret storage is small all 
the time. 

The basis of this section is a fail-stop signature scheme for signing just one message of 
arbitrary length. We use the scheme described in Section 3.1 combined with message 
hashing. Hence the construction works for the schemes from [HP92] and Section 3.2. 
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(a) Small amount of secret information at the start: Use "top-down" tree-authentication 
similar to [M88, GMR88]. (Note that a different "bottom-up" version, which is a little more 
efficient if one does not consider secret storage space, was normally used with fail-stop 
signatures so far.) Let a prekey, i.e., a bundling homomorphism h, be given. The signer 
starts with one pair of a secret and a public key at the root of the tree. Then she creates two 
children, each with a new key pair, and uses the old secret key to sign a message containing 
the two new public keys. For each of the two new nodes, she again constructs two children 
in the same way, and so on. Messages are signed using the secret keys at the leaves of the 
tree, and a complete signature is one branch of these original signatures. 

During key exchange, only the root of the tree has to exist, and to sign the first message, 
only the keys on the left-most branch and their immediate other children have to be 
generated. Figure 1 shows the situation after the first message, rriQ r> has been signed. 
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Fail-stop signature scheme with lop-down" tree authentication. 



Thin black arrows denote the computation of a public key from a secret key in a 
basic scheme to sign just one message (like in Ch. 3, together with message 
hashing), broad grey arrows denote signatures in the basic scheme, and 
dotted lines just indicate a tree, but are not related to a computation. 



At any time, just one branch of the tree has to be stored for signing. However, so far, the 
individual secret keys skj that are used up, i.e., that are no longer needed for signing, must 
be stored until the end so that forgeries at any node can be proved. 
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(b) Small amount of secret storage altogether: The basic idea to reduce secret storage further 
is to store values skj that are used up in encrypted form and to store just the key secretly. 
However, information-theoretically secure encryption is needed, and a one-time pad is of no 
use because the key would be just as long as the encrypted message. Hence special care 
must be taken that each individual skj is still secret enough, although information about the 
ensemble of skj's may become known. 

If the individual skj's are formed according to Section 3.1, this is achieved by the 
following additional steps: 

1 . Initially, the signer chooses a value e e G randomly as an encryption key. She keeps e 
secret all the time. 

2. Whenever the signer has used up a value skj = (iifc^i, skj 2 ) by signing a message tnj, 
she proceeds as follows: 

• She encrypts skj 2 as cj := skj 2 • e. 

• She stores niy, the signature Sj, and the ciphertext cj securely, but not necessarily 
secredy. 

Theorem 8: If the tree construction described in (a) is applied to a secure fail-stop signature 
scheme constructed according to Section 3.1 together with message hashing, and the 
additional steps described in (b) are taken, then we have a secure fail-stop signature scheme 
again. ♦ 

Proof: First, the signer can reconstruct any secret key skj if she needs it to prove a forgery: 
She decrypts skj 2 = cjl e and then recomputes skj ± = Sjl skj2 m , where m is the hash value 

of THj. 

Hence, whenever a signature for a node j is forged and it is different from the signature 
the signer would have produced for the same message, the signer can prove this forgery just 
as in Section 3.1. Furthermore, every complete forgery sf(i.e., a branch of the tree) must 
be linked into the correct tree somewhere, i.e., it contains at least one such forgery at a node 
j for the correct pkj. 

Thus it remains to show that the additional information stored securely does not help a 
forger to find exactly the signature that the signer would have produced at node This 
signature depends only on skj (i.e., not on the values sk t at other nodes). In the original 
scheme, the set of possible values skj from the point of view of a forger was SKj* = 
{{Sjl skj^" 1 , skj2> I Kskj2) = P^}- Hence it suffices to show that all these values are still 
possible when the forger has seen Cj and all the other ciphertexts q. 

Let such a value sk*j 2 be given. It corresponds to exactly one key e* = q / sk*^. This 
implies that the other plaintexts must be sk*^ = q / e* = sk*j <2 • c\l Cj. The only question 
is if these are possible plaintexts, i.e., if h(sk*j 2 ) = pk^. On the one hand, h(sk*[ 2 ) = 
h(sk*j 2 ) • h(c{) I h(Cj) = pkj 2 • A(c/) / h(cj). On the other hand, /t(q) = Ksktf) • h(e) = 
pk[2 • h(e) and h(jCj) = pkj 2 • /i(e), hence h(C[) I h(cj) = pk^ I pkj^- This yields Ksk*^) = 

Consequences: If this construction is applied to a usual complete tree, then it is very 
practical, and at any time, only e and the secret keys that have been marked "use later", i.e., 
at most one per level of the tree, must be stored secredy. This is a logarithmic amount. 
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If we use a list-like tree, i.e., the left child of each node is a real message, we only need 
two skj's at any time. However, later signatures are very long. Thus the list- like version 
should only be used with a fixed recipient, who can store the part of the list he already 
received, like in [P91]. 

One can also use trees of other forms or combine it with other methods to sign several 
messages from [HP92]. 

6 Conclusion 

We have constructed efficient fail-stop signatures based on the assumption that factoring 
large integers is hard, giving an alternative to the previous scheme based on a discrete 
logarithm assumption. We also presented a construction which only needs a small amount 
of secret storage space, whereas in all previous constructions, a secret key whose length 
was linear in the number of signatures to be issued was stored all the time. 

On the other hand, we proved that there is a definite difference to ordinary digital 
signatures in that the signer must choose an amount of random bits linear in the number of 
signatures to be issued. Finally, we showed that there is no hope that unconditionally secure 
signatures can become as efficient as fail-stop signatures, because the length of each 
unconditionally secure signature is linear in the number of participants who can test it, 
whereas the length of a fail-stop signature (or an ordinary digital signature) does not depend 
on this number. 
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Abstract. This paper presents a three-move interactive identification 
scheme and proves it to be as secure as the discrete logarithm prob- 
lem. This provably secure scheme is almost as efficient as the Schnorr 
identification scheme, while the Schnorr scheme is not provably secure. 
This paper also presents another practical identification scheme which is 
proven to be as secure as the factoring problem and is almost as efficient 
as the Guillou-Quisquater identification scheme: the Guillou-Quisquater 
scheme is not provably secure. We also propose practical digital signature 
schemes based on these identification schemes. The signature schemes 
are almost as efficient as the Schnorr and Guillou-Quisquater signa- 
ture schemes, while the security assumptions of our signature schemes 
are weaker than those of the Schnorr and Guillou-Quisquater.signature 
schemes. This paper edso gives a theoretically generalized result: a three- 
move identification scheme can be constructed which is as secure as the 
random-self-reducible problem. Moreover, this paper proposes a variant 
which is proven to be as secure as the difficulty of solving both the 
discrete logarithm problem and the specific factoring problem simulta- 
neously. Some other variants such as an identity-based variant and an 
elliptic curve variant are also proposed. 



1 Introduction 



Public-key based identification schemes and digital signature schemes are very 
useful and fundamental tools in many applications such as electronic fund trans- 
fer and online systems for preventing data access by invalid users and proving 
the authenticity of messages. 

Identification schemes are typical applications of zero-knowledge interactive 
proofs [GMRa], and several practical zero-knowledge identification schemes have 
been proposed [Bet, FiS, FFS, OhOl]. However, the zero-knowledge identifica- 
tion schemes have the following shortcomings in practice, where we simply call 
^black-box simulation zero-knowledge" "zero-knowledge", since we do not know 
of any effective measure to prove zero-knowledgeness except the black-box sim- 
ulation technique, although "auxiliary-input zero-knowledge" is more general 
than "black-box simulation zero-knowledge": 

E.F. Bnckell (Ed.): Advances in Cryptology - CRYPTO '92, LNCS 740, pp. 31-53, 1993. 
© Springer- Verlag Berlin Heidelberg 1993 
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- A zero-knowledge identification scheme requires more than three interac- 
tions (three-moves l ) from Goldreich et.al.'s result [GK] unless the language 
for the proof is trivial. A zero-knowledge protocol is less practical than the 
corresponding (three-move) parallel version since interaction over a network 
often requires more time than taken by the calculation in these identifica- 
tion schemes. Although four-move and five-move zero-knowledge proofs have 
been proposed [BMOl, FeS2], these protocols impose fairly big additional 
communication and computation overheads compared to the three-move par- 
allel versions (especially Type 2 below). 

Note: Here, the ''(three-move) parallel version" denotes two types of proto- 
cols. One (Type 1) is just the parallel execution of a zero-knowledge proto- 
col (e.g., the three-move version of the Fiat-Shamir scheme with k = 1 and 
t = Poly(\ii\) [FiS]). The other (Type 2) is a protocol which can be converted 
to zero-knowledge by executing the protocol repeatedly many times and set- 
ting the security parameter of one repetition to be constant (e.g., the three- 
move and higher-degree version of the Fiat-Shamir scheme [GQ, OhOl]). 
The communication complexity of the Type 1 protocol is the same as that 
of the original zero-knowledge protocol. Usually, the communication com- 
plexity of the Type 2 protocol is much less than that of the corresponding 
zero- know ledge protocol (or Type 1). 

- No zero-knowledge identification can be converted into a signature scheme 
using Fiat-Shamir's technique [FiS], which is a truly practical way of con- 
verting an identification scheme into a signature scheme with a one-way hash 
function. This is because: if the identification protocol is zero-knowledge, the 
signature converted from this identification protocol through Fiat-Shamir's 
technique can be forged by using the same algorithm as the simulation 
for proving the zero-knowledgeness of the identification protocol. Therefore, 
for example, the above-mentioned four-move and five-move zero-knowledge 
proofs [BMOl, FeS2] cannot be used to construct a signature scheme. 

In contrast, the three-move identification schemes [Bet, BM1, FiS, FFS, GQ, 
OhOl, Sch], which are the parallel version (Type 2) of zero-knowledge proofs, 
have the following merits in practice. 

- The communication and computation overheads are smaller than those of 
the zero-knowledge identification schemes. 

- The three-move identification schemes can be converted into practical sig- 
nature schemes by using Fiat-Shamir's technique. 

How then can we prove the security of the three-move identification schemes? 
As mentioned above, the zero-knowledge notion seems to be ineffective for this 
purpose. Feige, Fiat and Shamir [FFS] have developed an effective measure called 
"no-useful information transfer'' to prove the security of their three-move iden- 
tification scheme. Ohta and Okamoto [OhOl] have proposed a variant called 

1 A scheme is called "one-move" if prover ,4 only sends one message to verifier B, and 
is called "two-move" if B sends to A and then A sends to B. "j-move" is defined in 
the obvious way. 
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"no transferable information with (sharp threshold) security level,"' which char- 
acterizes the security level theoretically. Therefore, only "no- useful information 
transfer" [FFS] and its variant [OhOl] have been known to be effective to prove 
the security of three-move identification schemes. 

Only three three-move identification schemes [FFS, OhOl, BM1] have been 
proven to be secure assuming reasonable primitive problems, in the sense of [FFS, 
OhOl]. The Feige-Fiat-Shamir identification scheme [FFS], based on square root 
mod n, has been proven to be as secure as the factoring problem. The Ohta- 
Okamoto scheme [OhOl], which is the higher (the L-th) degree modification 
of the Feige-Fiat-Shamir scheme, has been proven to be as secure (with sharp 
threshold security level 1/A') as factoring, where v x ^ L mod n has at least A' 
solutions (e.g., gcd(L, p — 1) = K\ see [OhOl] for more detail conditions). The 
Brickell-McCurley scheme [BM1], which is a modification of the Schnorr scheme 
[Sch], has been proven to be secure assuming that it is intractable to find a factor, 
q, of p — 1, given additional information g whose order is q in Z*, although the 
security of their scheme also depends on the discrete logarithm. 

Therefore, there is no existing alternative that is "provably secure" and 
"three-move" practical identification if factoring intractability fails in the fu- 
ture, since the security of all these provably secure schemes depends on the fac- 
toring assumption. In addition, although their schemes are efficient, they have 
some shortcomings in practice: the transmitted information size and memory 
size cannot be small simultaneously [FFS], and a priori fixed value v (e.g., v is 
the identity of a user) cannot be used as a public key [OhOl], (or the identity 
based scheme [Sha] cannot be constructed on this scheme). In addition, the secu- 
rity assumption of [BM1] is fairly stronger than the ordinary factoring problem 
(or the level of the provable security is lower than those of [FFS, OhOl]). 

In contrast, other previously proposed practical three-move identification 
schemes, the Schnorr [Sch] and Guillou-Quisquater [GQ] schemes, have some 
merits compared to [FFS, OhOl, BM1]: The security of the Schnorr scheme de- 
pends on the discrete logarithm, which is a promising alternative if factoring be- 
comes tractable, since we have several different types of discrete logarithms such 
as elliptic curve logarithms which seem to be more intractable than factoring. 
Moreover, the transmitted information size and memory size with these schemes 
can be small simultaneously, while it is impossible in [FFS]. The Schnorr scheme 
is more efficient than [BM1]. In addition, in the Guillou-Quisquater scheme, a 
priori fixed value v can be used as the public key. Unfortunately, the Schnorr and 
Guillou-Quisquater schemes are not provably secure. The difficulty of proving 
the security of these schemes resides in the fact that the discrete logarithm and 
RSA inversion have single solutions in restricted domains, that is, \og g x mod p 
has a single solution (x is in the restricted domain. {0, 1, ... , otd(g) - 1 } ), and 
X l l e mod n has also a single solution (gcd(e, d>(n)) = 1, <j> is the Euler function). 

In this paper, we propose three-move identification schemes that are proven 
to be as secure as the discrete logarithm or RSA inversion. We also propose 
a variant which is proven to be as secure as the factoring problem. Our new 
schemes inherit almost all the merits of the Schnorr and Guillou-Quisquater 
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schemes even though they are provably secure. That is, these schemes are al- 
most as efficient as the Schnorr and Guillou-Quisquater identification schemes 
from all practical viewpoints such as communication overhead, interaction num- 
ber, required memory size, and processing speed. In addition, the new schemes 
duplicate the other advantage of the Guillou-Quisquater scheme: the identity 
based schemes can be constructed on these schemes. 

This paper also develops new practical digital signature schemes from the pro- 
posed provably secure three-move identification schemes. The signature schemes 
are almost as efficient as the Schnorr and Guillou-Quisquater signature schemes, 
while the security assumptions of our schemes are weaker than those of the 
Schnorr and Guillou-Quisquater signature schemes. That is. the security (exis- 
tentially unforgeable against adaptive chosen message attacks [GMRi]) of our 
new signature schemes only depends on just one reasonable assumption about 
the one-way hash function (or the existence of a "correlation-free one-way hash 
function") as well as the primitive assumption (e.g., the intractability assump- 
tion of the discrete logarithm). 

We also extend these specific and practical results to a more general and 
theoretical result. We show that any random-self-reducible problem [TW] can 
lead to a provably secure and three-move identification scheme. 

We also construct some variants of our new identification and signature 
schemes. One is a variant of our identification scheme based on the discrete 
logarithm using the idea of the Bnckell-McCurley scheme [BMl]. This variant 
is proven to be as secure as the difficulty of solving both the discrete logarithm 
and the specific factoring problem (or the finding order problem) simultaneously, 
while, as mentioned above, the Brickell-McCurley scheme is proven to be secure 
assuming the intractability of the finding order problem, although the security 
of their scheme also depends on the discrete logarithm. Some other variants 
of our scheme, identity-based and certification-based versions, and an elliptic 
curve version, are also proposed. The elliptic curve variant has the significant 
property that it is proven to be secure assuming the intractability of the (non- 
supersingular) elliptic curve logarithms against which only exponential-time at- 
tacks are known so far. 

2 Definition of Secure Identification 
2.1 Identification 

Definition 1. An identification scheme consists of two stages: 

1. Initialization: In this stage, each user (e.g., .4) generates a secret key (e.g., 
SKa) an d a public key (e.g., PKa) by using probabilistic polynomial-time 
generation algorithm G on input of the key size. A link between each user 
and its public key is established. Note that in some schemes a part of the 
public key can be commonly shared among all users as a system parameter. 

2. Operation: In this stage any user (e.g., A) can demonstrate its identity to a 
verifier by performing some identification protocol related to its public key 
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(e.g., PKa), where the input for the verifier is the public key (e.g., PA' .4). At 
the conclusion of this stage, the verifier either outputs "accept" or "reject". 

2.2 Security of Identification schemes 

We define a secure identification scheme based on the definition (the "no useful 
information transfer") given by Feige et. al. [FFS]. 

Definition 2. A prover A (resp. verifier B) is a "good" prover denoted by .4 
(resp. "good" verifier denoted by B), if it does not deviate from the protocols 
dictated by the scheme. Let A be a fraudulent prover who does not complete 
the Initialization stage of Definition 1 as A and may deviate from the protocols 
(so another person/machine can simulate A). B is not a good B. A and B are 
assumed to be polynomial time bounded machines, which may be nonuniform. 
An identification scheme (A,B) is secure if 

1. (.4, B) succeeds with overwhelming probability. 

2. There is no coalition of A,B with the property that, after a polynomial 
number of executions of (.4, B) and relaying a transcript of the communica- 
tion to A, it is possible to execute (4, B) with nonnegligible probability of 
success. The probability is taken over the distribution of the public key and 
the secret key as well as the coin tosses of ,4, B, A, and B, up to the time 
of the attempted impersonation. 

Remark: When an identification scheme is "witness hiding" [FeSl] and an 
interactive proof of "knowledge" [FFS], this scheme is secure in the sense of Def- 
inition 2. This is roughly because if there exists (A,B) with nonnegligible prob- 
ability of success, we can construct a knowledge extractor (from the "knowldge 
soundness"), which leads to contradiction with "witness hiding". Thus there are 
two ways to prove the security of Definition 2: One is to prove it directly as in 
[FFS, OhOl], and the other way is to prove that a scheme is "witness hiding" 
and an interactive proof of "knowledge". Some schemes such as [OhOl] seem to 
be proven only in the former way, since the knowledge soundness is sometimes 
hard to prove (e.g., [OhOl]). In this paper, we will prove our schemes in the for- 
mer way, since it is compatible with the way to prove it by a variant of Definition 
2, [OhOl], to be described below, although we can prove them in the latter way. 

In the Appendix A, we introduce a variant of the "no useful information 
transfer" given by Ohta and Okamoto [OhOl], called "no transferable informa- 
tion with (sharp threshold) security level" . This notion does not guarantee the 
security guaranteed by [FFS] i.e., the success probability of cheating by any ad- 
versary (A,B) is negligible in an asymptotic sense. However, the notion sheds 
light on another aspect of the security of identification schemes, the security 
level in a non-asymptotic sense. In practice, the security parameter is fixed in a 
system (e.g., the values of k and t of the Fiat-Shamir scheme [FiS]). Then we 
can assume a fixed security level for the system. The definition [OhOl] guar- 
antees that such a fixed security level has theoretical significance 2 . Note that 

An asymptotic extension of the security level is recently studied in [CD] 
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this notion is defined essentially in an asymptotic manner although the security 
level is characterized in a non-asymptotic manner. The provable security of an 
identification scheme can be guaranteed by both these notions. 

3 Proposed Three-Move Identification Schemes 

3.1 Identification Scheme as Secure as the Discrete Logarithm 

In this subsection, we propose a new scheme which is almost as efficient as the 
Schnorr identification scheme [Sch], and prove that it is as secure as the discrete 
logarithm problem. 

A user generates a public key (p,q,g\,g^,t,v) and a secret key ($1,62) and 
publishes the public key. Here, if is calculated by g% = <jrf mod p, -y can be 
discarded after publishing g%. 

- primes p and q such that q\p - 1. (e.g., q > 2 140 , and p > 2 512 .) 

- g\,Q2 of order q in the group Z*, and an integer t = 0(|p|). (e.g., t > 20.) 

- random numbers $1,82 in Z q , and v = fffflf^* 2 mod p. 

Remark: (p,«?,ffi,</2>*) can be published by a system manager and used com- 
monly by all system users as a system parameter. The system manager should 
then also publish some information to confirm to users that these parameters 
were selected honestly. For example, (s)he publishes some witness that no trap- 
door exists in p,<7i,ff2> or that these values are generated honestly. Since the 
primality test for p and q is fairly easy for users, they can confirm for them- 
selves that ji and g? are both of order q. When, as described above, the system 
parameter is generated and published by each user individually, (s)he does not 
need to publish such information. 

We now describe our new identification scheme (Identification scheme 1) by 
which party A (the prover) can prove its identity to B (the verifier). 

Protocol: Identification scheme 1 

Step 1 A picks random numbers ri,ri E Z q , computes 

x = 9 T \9 T f modp, 

and sends x to B. 
Step 2 B sends a random number e G Z& to A. 
Step 3 A sends to B (yi,jte) such that 

\fi = n + es\ mod q, and y? = r 2 + es2 mod q. 
Step 4 B checks that 

x = g^gfv" mod p. 
If it holds, B accepts, otherwise rejects. 

Next, we prove the security of the above identification scheme. First, we show 
a definition and lemma in preparation. 
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Definition 3. Let RA denote A's random tape, and RB denote B's random 
tape. The possible outcomes of executing (A,B) can be summarized in a large 
Boolean matrix H whose rows correspond to all possible choices of RA. Its 
columns correspond to all possible choices e of RB, and its entries are 1 if B 
accepts A's proof, and 0 if otherwise. 

When the success probability of A is e (or the rate of 1-entries in H is s), we 
call a row heavy if its ratio of l's is at least s/2. 

Lemma 4. //, given A's public key (p,q,gi,g2,t<v), the success probability, e, 
of A is greater than 2~ t+1 , then there exists a probabilistic algorithm which runs 
in expected time 0{\\A\\je) and outputs the history of two accepted executions of 
( A, B), (x, e. yi , y?) and (x, e', y[ , y\), where e ^ e' . Here, \\A\\ denotes the time 
complexity of A. The success probability is taken over the coin tosses of A and 
B. 

Sketch of Proof: 

Assume that at least 1/2 of the l's in H are not located in heavy rows. Then 
the fraction of non-heavy rows in H , which we denote r, is estimated as follows: 
r > it r i -i^i > 1- This is a contradiction. Therefore, at least 1/2 of the Vs in H 
are located in heavy rows. Since e is greater than 2 _t + 1 and the width of H is 
2 1 , a heavy row contains at least two l's. To find two I s in the same row, we 
thus adopt the following strategy: 

1. Probe 0(1/ s) random entries in H (or pick (RA,e) randomly and check it, 
and repeat this until successful). 

2. After the first 1 is found (or accepted (x, e, y\, yn) with RA is found), probe 
0(l/c) random entries along the same row (or probe (x, e' , y[, y^) with the 
same RA). 

Since at least 1/2 of the l's in H are located in heavy rows, this strategy succeeds 
with constant probability in 0(1/ s) probes. n 

Definition 5. The discrete logarithm is (nonuniformly) intractable, if any fam- 
ily of boolean circuits, which, given properly chosen (g\,g2>P, ( l) m the same 
distribution as the output of key generator G, can compute the discrete loga- 
rithm a G Z q (<jr 2 = sf mod p) with nonnegligible probability, must grow at a 
rate faster than any polynomial in the size of the input, \p\. 

Remark The discrete logarithm above might be less intractable than that when 
the order of g x is greater than q (e.g., p — 1), although no attack has yet been 
reported when q is appropriately large (considering an attack, [PH]). 

Theorem 6. Identification scheme 1 is secure if and only if the discrete loga- 
rithm is intractable. 
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Sketch of Proof: 

(Only if:) 

Suppose that, the discrete logarithm is not intractable. Clearly a (nonuniform) 

polynomial time machine can calculate (sj,.?^) satisfying v = g l 1 g 2 2 mc "^ P 
with nonnegligible probability. Thus Identification scheme 1 is not secure. 
(If:) 

To prove the "If" part, we show that if Identification scheme L is not secure, 
then, given (gi,g2,p,q) with the same distribution as the output of key generator 
G, the discrete logarithm a € Z q (#2 = g" mod p) can be computed by a 
polynomial time machine P with non-negligible probability. 

Assume that Identification scheme 1 is not secure. Then {A, B) can be ac- 
cepted with nonnegligible probability z after 0(|p| c ) executions of (A,B). The 
complete history of the executions of [A, B) and (A, B) can be simulated by one 
polynomial time procedure P, which may be nonuniform, if P knows A's secret 
key. 

To calculate the discrete logarithm a £ Z ' q (g 2 — g" modp), given (// : , g->, p. 
q), P firstly chooses s[, s 2 6 Z q randomly, and calculates v = g l Sl g 2 "~ mod p. 

Then, using (s* , sj) as As secret key. P simulates (A, B) as well as {A, B). So, 
for (v, g\, 32, p, <f)> after simulating 0(|p| c ) executions of (A, B), P tries to find 
two accepted interactions oi{A,B), {x,e.,y\,y 2 ) and (x, e' , y[, y' 2 ) (e ^ e'). From 
Lemma 4, this is possible with overwhelming probability, since e is nonnegligible 
i.e. greater than 2~ !+1 . 

P can then calculate (si,s 2 ) = ((.Vi - y[)/(e — e') mod q,(yo — y^/i? ~ 
e') mod q) by 

2/1 = r x + esj mod q, y 2 = ''2 + es 2 m °d ?i 
y[ = r l + e's-i mod q, y' 2 = r 2 + e's 2 mod q. 

There are q solutions of (si,s 2 ) which satisfy v — g^' 1 y^'~ mod p, given 
( v ,g\,g2,P,q)- Even an infinitely powerful B cannot determine from x's, j/i's, 
and ^'s sent by A during the execution of (A, B) which (si,s 2 ) satisfying v — 
g~ Sl fir^* 2 modp actually uses. To prove this, for two different solutions, (si,s 2 ) 
and (s*,s 2 ) satisfying v — gi' x g 2 ** = <7i ''i^' 2 (mod p), we show that even 
an infinitely powerful B cannot determine which solution was used from x's, 
1/i's, and t/2's. When rj = r L + e(sj - s{) mod q and r* 2 — r 2 + e(s 2 - s%) mod 5, 
the following three equations hold. 

x - 9?9 T 2 2 = 9i l 92 2 ( mod p). 
J/i = + esi = + esj (mod q), 
J/2 = ?*2 + cs 2 = + es 2 (mod <jr). 

In addition, the distributions of (r 1: r 2 ) and (r*. rj) are exactly equivalent even 
if they satisfy the above relation. Hence, although P knows {s^s^), (si,s 2 ), 
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which is calculated by P by simulating the operations of (A,B) and (A,B), is 
independent from (s*,^)- 

Therefore, (s^.s*) which was randomly chosen by P at first is different with 
probability (q - \)/q from (s 1 ,s 2 ). Thus, a can be calculated with probability 
(q - l)/q from (s y , s 2 ) and (sl,s* 2 ) such that a = ( Sl - s\)/(s% - s 2 ) mod q. The 
total success probability of P is nonnegligible. 

This contradicts the intractability assumption of the discrete logarithm. □ 

Theorem 7. Lett = 0(1). Identified ion scheme 1 is secure with sharp threshold 
security level 1/2' if and only if the discrete logarithm is intractable. 

The proof of Theorem 7 is similar to that of Theorem 6. It is shown in the 
final version. 

3.2 Identification Scheme as Secure as RSA Inversion 

This subsection proposes another practical identification scheme which is almost 
as efficient as the Guillou-Quisquater identification scheme [GQ], and proves that 
it is as secure as RSA inversion. 

A user generates a public key (a, k, n, v) and a secret key (sj . s 2 ) and publishes 
the public key. Here, p.q can be discarded after publishing n. Note that (a,k) 
can be common among users as the system parameter. 

- primes p,q,n~ pq, and prime k such that gcd(&, 6(n)) = 1 and |it| = 0(\n\), 
where <P(n) = lcm(p - l,q - 1). (e.g., k > 2 20 , n > 2 512 ) 

- random number si G Z k , and random numbers a,s-> £ Z'„, and v = 
a~ Sl s 2 modn. 

We now describe our new identification scheme (Identification scheme 2) bv 
which party A (the prover) can prove its identity to B (the verifier). 

Protocol: Identification scheme 2 

Step 1 A picks random numbers r x £ Z k and r 2 e , computes 

a; = a ri ?'2 mod n. 

and sends ar to B. 
Step 2 5 sends a random number e G Z\ to A. 
Step 3 A sends to 5 (j/1,2/2) such that 

y\ = n + e5l mod jfe, y 2 = a^ r, + Ml ^*Jr 2 4 mod n. 
Step 4 5 checks that z = a 3x ^v e mod ra. 

Definitions. RSA inversion is (nonuniformly) intractable, if any family of 
boolean circuits, which, given properly chosen (a,k,n) in the same distribution 
as the output of key generator G, can compute a l / k mod n with nonnegligible 
probability, must grow at a rate faster than any polynomial in the size of the 
input, \n\. 
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Theorem 9. Identification scheme 2 is secure if and only if RSA inversion is 
intractable. 

Sketch of Proof: 

(Only if:) 

Suppose that the RSA inversion is not intractable. Clearly a (nonuniform) 
polynomial time machine can calculate (s[,s' 2 ) satisfying v = a~"^s' 2 ~ mod n 
with nonnegligible probability. Thus Identification scheme 2 is not secure. 

(If:) 

To prove the "If" part, we can prove this in a manner similar to the "if" part 
proof of Theorem 6. So we only sketch the different points here. 

First, P chooses s\ € Zfc. and s 2 £ Z* n randomly, and calculates v = 
a~ s ^s 2 ~ k mod n. 

Then, for (a,k,n,v), P finds (x,e t yi,y 2 ) and (x, e' , y\ , y' 2 ) (e ^ e 1 ) by the 
technique of Lemma 4. 

Next P calculates s\ = (t/i — y[)/{e - e') mod k, and r ; = j/i — es\ mod k. 
P then calculates X, Y as follows: 

X ~ , . , - , — — ; — rrrr mod n (= s£ e mod n), 

7 = l/( t?o Jl ) mod n (= s* mod n). 

Since gcd(£,e — e') = 1 (as fc is prime), P can compute a,/? satisfying a(e — 
e') + 0k = 1 by the extended Euclidean algorithm. Hence P calculates s 2 — 
X a Y 0 mod n. 

There are k solutions of (si.si) which satisfy v — a~' l s 2 k mod n, given 
(v,n,a,k). Even an infinitely powerful B cannot determine from x : s, yi's, and 
y 2 's which (si,«2) was actually used. 

P then obtains (.s'i,s 2 ), (f^.s;) (s, ^ s*) such that u = a 5l s\ = a s 's* 2 k 
(mod n), so a^ 1 ^*^ 51-1 "^ = Sj/so (mod n). After repeating the above proce- 
dure, P obtains another {s'^k), (s'*,s' 2 *) (s< ^ s'*) such that a (iA-)(*', -O = 
s 2 /s' 2 (mod n) with nonnegligible probability. If gcd(5j -s* , s[ -s'*) - 1, then 
P can calculate a 1 /* mod n. The probability that gcd(«! - s1,s\ — s'^) = 1 is 
more than a constant, since s* , is selected randomly and si,s[ is independent 
from s[,s'*. Thus, the total success probability of P is nonnegligible. 

This contradicts the intractability assumption of RSA inversion. □ 

Theorem 10. Let \k\ = O(l). Identification scheme 2 is secure with sharp 
threshold security level Ijk if and only if RSA inversion is intractable. 



3.3 Identification Scheme as Secure as Factoring 

In this subsection, we show a slight variant of the previous identification scheme 
(Identification scheme 2), which is as secure as factoring, while Identification 
scheme 2 is as secure as the inversion of the RSA function. The protocol of this 
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variant (Identification scheme 3) is exactly same as Identification scheme 2. The 
only difference is that the value of k is selected so that gcd(&, <j>{n)) = 2 and k/2 
is prime, while gcd(fc, <p{n)) — 1 and k is prime in Identification scheme 2. 

Definition 11. Factoring is (nonuniformly) intractable, if any family of boolean 
circuits, which, given properly chosen (n) in the same distribution as the output 
of key generator G, can factor n with nonnegligible probability, must grow in a 
rate faster than any polynomial in the size of the input, |n|. 

Theorem 12. Identification scheme 3 is secure if and only if factoring is in- 
tractable. 

Theorem 13. Let \k\ — 0(1). Identification scheme 3 is secure with sharp 
threshold security level l/k if and only if factoring is intractable. 

4 Generalization to Random-Self-Reducible Problems 

This section shows that any random self-reducible problem [TW] leads to prov- 
ably secure and three-move identification. 

Definition 14. Let Af be a countable infinite set. For any N £ Af. let denote 
the length of a suitable representation of N, and denote the problem size. For 
any N £ Af, let Xn, Yyv be finite sets, and Rn C Xn x Yn be a relation. Let 

domR N — {x £ Xh \ (x t y) £ for some y £ Vjv} 

denote the domain of 

Rn{z)={v I {x,v) e Rn} 

the image of x € Xjv- 

R is random self-reducible (RSR ) if and only if there is a polynomial time al- 
gorithm A that, given any inputs N £ Af ', x £ domRN, and a source r £ {0, 1}" , 
outputs x' — A(N,x,r) € domRN satisfying the following seven properties. 

1. If r is randomly and uniformly chosen on {0, 1} W , then rJ is uniformly dis- 
tributed over domRN- 

2. There is a polynomial time algorithm that, given N,x,r, and any y' € 
Rn(x'), outputs y £ Rn(x). 

3. There is a polynomial time algorithm that, given N, x, r, and any y £ Rn(x), 
outputs some y' £ Rn(x'). If, in addition, the bits of r is random, uniform, 
and independent, then y' is uniformly distributed over Rn(x'). 

4. There is an expected polynomial time algorithm that, given N,x', and y' , 
determines whether (x',y') £ Rn ■ 

5. There is an expected polynomial time algorithm that, given N, outputs 
random pairs (x',y') £ R N with x' uniformly distributed over domRN and 
y' uniformly distributed over Rn{x'). 
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6. There is an expected polynomial time algorithm that, given N. xq, x\, 12, 
ri, r 2 satisfying = A(N,xo,ri) (i = 1,2), outputs r" satisfying x-> — 
A(N jXu r'). 

7. There is an expected polynomial time algorithm that, given N, x\.X2,yi:V2 
satisfying (xi, ik) € Rn (i = 1.2), outputs r* satisfying x 2 = A(N, x x . r*). 

Next we construct a three-move identification scheme based on random self- 
reducible problem R, (Identification scheme 4). 

A user generates a public key (N,a,t,v) and a secret key (si) (i = 0 or 1) 
and publishes the public key. 

- A random bit i € {0, 1}, A r £ A r , a £ domR N , and an integer t = 0(\N\). 

- When i = 0, random bits s 0 e {0, 1}", and v = A(N, a, so). 

- When i = 1, a random pair (v,si) 6 /?,v- 



Protocol: Identification scheme 4 

Step 1 A generates random bits j/j 0 £ {0, 1}"", and Xj Q = A(N,a,yj 0 ), (j = 
1, ... ,t). A also generates random pairs (xji,yj\) 6 i? ; \>, (j — 1, . . ■ ,t). 
A sets Xj — (xjb, , x,j { 1-5,)) with a random bit bj G {0. 1), and sends 
(Xi, X2, ■ ■ ■ ■ Xi) to B. 

Step 2 5 sends random bits (ei , . . . , e. t ) to A. 

Step 3 A sends (z x , zo, . . . , ~ t ) to B. Here, if e ; = 0, = ( j/yo . 2/j 1 )- If e j = 1 
and i = 0, then z 3 = r 0 such that ar ; - 0 = A(N,v,ro) (r 0 can be 
computed from property 6). If ej = 1 and i = 1, then = rj such 
that Xji — A(N,v,ri) (rj can be computed from property 7). 

Step 4 B checks the validity of the messages received from A. 

Definition 15. The random self-reducible problem R is (nonuniformly) in- 
tractable, if any family of boolean circuits, which, given properly chosen {N,a) 
in the same distribution as the output of key generator G, can compute a sat- 
isfying (a, a) € Rn with nonnegligible probability, must grow at a rate faster 
than any polynomial in the size of the input, |p|. 

Theorem 16. Identification scheme J, is secure if and only if the random self- 
reducible problem R is intractable. 

The basic techniques to prove this theorem are similar to those shown in 
Section 3. Scheme 4 is much less efficient than the schemes in Section 3, since 
the schemes in Section 3 are Type 2 of the parallel versions (see Section 1), while 
this scheme is Type 1. 

Because of space limitations, we omit the proof of this theorem in this ex- 
tended abstract. 
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5 Variants of the Proposed Identification Schemes 

5.1 Identification Scheme as Secure as the Discrete Logarithm and 
Factoring Simultaneously 

This subsection introduces a variant of Identification scheme 1 (Identification 
scheme 5) using the idea of the Brickell-McCurley scheme [BMl]. This variant is 
proven to be as secure as the difficulty of solving both the discrete logarithm and 
the specific factoring problem (or the finding order problem) simultaneously. 

In this identification scheme, a user generates a public key (p, <Ji,<J2,i>) an< i 
secret key (si, S2) an d publishes the public key. (q, w) can be discarded after pub- 
lishing the public key. (p,</i, £2) can be- a system parameter, which is commonly 
used by all users. 

- primes p, q and w such that qw\p— 1 (e.g., q > 2 140 , p > 2 512 , and qw > 2 512 ). 

- gi and go of order q in the group Z*. 

- random numbers Si,s 2 in Z p _i. 

- v = gi Sl 92^ mocl P- 

We now describe our new identification scheme (Identification scheme 5). 

Protocol: Identification scheme 5 

Step 1 A picks random numbers r\,ro E Z p -i, computes 

x = mod P. 

and sends x to B. 
Step 2 B sends random numbers e E Z 2 < to A. 
Step 3 A sends to B (t/1,2/2) sucn that 

2/1 = ri + exi mod p — 1, and t/2 = i"2 + e - c 2 m °d p — 1- 

Step 4 B checks that 

x — g\ l gVv 6 mod p. 

Definition 17. The finding order problem is (nonuniformly) intractable, if any 
family of boolean circuits, which, given properly chosen (p, g\) in the same dis- 
tribution as the output of key generator G, can compute the order of gi in the 
group Z* with nonnegligible probability, must grow at a rate faster than any 
polynomial in the size of the input, |p|. 

Remark This problem is more tractable than the factoring problem (Definition 
11), since if there exists an polynomial time algorithm to solve the factoring 
problem, then the finding order problem can be solved by factoring p—l. So, the 
finding order problem can be considered a subproblem of the factoring problem. 

Theorem 18. Identification scheme 5 ts secure if and only if the problem to 
solve both the discrete logarithm and the finding order problem simultaneously is 
intractable. 
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5.2 Identity- Based and Certification-Based Variants 

There are two methods of eliminating the public key directory from the conven- 
tional public key schemes: one is the identity-based method and the other is the 
certification-based method. 

In the certification-based method, a trusted center (key authentication center, 
or certification authority) publishes its public key and gives a user .4 its signature 
S for the pair of identity Id A and public key PK A of A. The user A sends 
(Id A ,PK A ,S) to the verifier, who checks the validity of PK A by verifying the 
trusted center's signature 5 for (Id A , PK A ) in place of retrieving PA" a through 
Id A from the public key directory. 

In the identity-based method, proposed by Shamir [Sha] and independently 
by Okamoto [Oka], the public key is replaced by the identity related value of a 
user. 

The difference between the certification-based method and identity-based 
method is as follows: 

- Any public-key system can be converted into the certification-based vari- 
ant by the same technique, while each public-key system needs a peculiar 
technique to convert to the identity-based variant. 

- The trusted center of the certification-based method does not know each 
user's secret key, while the trusted center of the identity-based method gen- 
erates and knows each user's secret key. 

- The size of the public key that a user keeps and sends to the verifier in the 
certification-based method is longer than that in the identity-based method. 

In this extended abstract, only two examples, identity-based variants of Iden- 
tification schemes 1 and 2, are introduced briefly. In particular, we show a new 
construction technique to realize the identity- based variant of a scheme which 
is based on the discrete logarithm (e.g.. Identification scheme 1), although the 
identity-based scheme based on the discrete logarithm is usually difficult to con- 
struct. Our technique is similar to Beth's idea [Bet], but. ours seems to be more 
natural, since we use the digital signature corresponding to the identification 
(Section 6), while the ElGamal scheme is used in [Bet]. (Our technique can be 
also applied to the Schnorr scheme: See Appendix B.) 

Identity-Based Variant of Identification scheme 1 A trusted center T (or 
key authentication center) generates a public key (p, q, g\,g2,t,vr) and its secret 
key (sti,st2), and publishes the public key as a system parameter. T generates 
T's digital signature, (e A , y A \ , y A 2), of A's identity, Id A , by using its secret key. 
So, e A = h({g\ Al g v 2 A2 vfj? mod p), Id A ) (see Section 6). T gives A A's secret key 
(sai, $A2) and e A , where (s A i ,s A2 ) = (? - y A i, 1 — VA2]- Then A generates A's 
public key v A — gi SA1 g 2 ~ SA ' > mod p from the secrete key given by T. 

In this identity- based identification protocol, A first sends (Id A , v A , e A ) to 
verifier B along with x (same as x in the first step of Identification scheme 1). 
B checks the validity of Id A and v A by checking whether e, A — h((v A v^ A mod 
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p),Id A ) holds or not. If the check passes, the remainig protocol is the same 
as Identification scheme 1 (or B sends A e, A sends B (2/1,2/2), and B checks 
it). So, B does not need to retrieve v A from the public-key directory. Here, the 
communication overhead except (Id A , v A ) is just e_ 4 , whose size is much smaller 
than those of v A and x. 

Identity-Based Variant of Identification scheme 2 A trusted center (or 
key authentication center) generates a public key (a,fe,n) and gives user A its 
secret key (s Ai , s A2 ), where Id A = a~' Al s~ A \ mod n. (First s A i £ %k is randomly 
determined, then s A 2 — (Id A a ,A1 )~ l ^ k mod n is calculated. Id A can be replaced 
by h(Id A ) with a one-way function.) 

In this identity-based identification protocol, Id A is used in place of v in 
Identification scheme 2. In a manner similar to the above-mentioned identity- 
based protocol, Id A is sent to B along with x in the first step and the remaining 
part is the same as Identification scheme 2. So, B does not need to retrieve v 
from the public-key directory. 

5.3 Elliptic Curve Version 

Some techniques to construct cryptosystems based on the elliptic curve logarithm 
over a finite field [HMV, Kobl. Kob2. Mil, Miy] can be straightfowardly applied 
to our Identification scheme 1. 

The elliptic curve variant of Identification scheme 1 has the significant prop- 
erty that three-move practical identification is proven to be secure assuming the 
intractability of the (non-supersingular) elliptic curve logarithms against which 
only exponential- time attacks have been reported so far [MOV, Kob2], 

6 Signature Schemes 

This section describes digital signature schemes converted from the identification 
schemes given in the previous sections. We also prove the security (existentially 
unforgeable against adaptive chosen message attacks [GMRi]) of our new sig- 
nature schemes assuming one reasonable assumption about the one-way hash 
function (correlation-free one-way hash function) as well as a primitive assump- 
tion. 

Since this conversion [FiS] is very simple, in this extended abstract, we only 
show one example (Signature scheme 1) based on Identification scheme 1. Other 
signature schemes (Signature schemes 2 to 5, and others) can be realized in the 
same way based on Identification schemes 2 to 5, and the variants described in 
subsections 5.2 and 5.3. 

6.1 Signature Scheme Based on Identification Scheme 1 

Signature scheme 1 is almost as efficient as the Schnorr signature scheme and 
DSA (see Section 7), while the security [GMRi] assumption of our scheme is 
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weaker and more reasonable than those of the Schnorr signature scheme and 
DSA. 

A public key [p.q, g\,g2,t, v) and secret key (si,so) of each user are de- 
termined in the same manner as Identification scheme 1. h is a one-way hash 
function. 

We now describe our new signature scheme (Signature scheme 1) by which 
party A (the signer) generates a signature (e, 1/1,^2) °f a message m, and sends 
(m,e,yi, j/2) to B (the verifier). 

Protocol: Signature scheme 1 

Step 1 A (signer) picks random numbers 7*1, r 2 € Z q , computes x = g^ff-f 
modp. A computes e = h(x,m) 6 Zn and (j/j, yi) such that y\ — 
r\ + esi mod q, and j/2 = f 2 + es 2 mod q. 

Step 2 A sends to B (e, 1/1,2/2) along with message m. 

Step 3 B computes x = g^' g% 2 v e mod p, and checks that e — h(x, m). 

6.2 Security of Signature Schemes 

In this subsection, we discuss the security of our signat ure schemes in the sense of 
"existentially unforgeable against adaptive chosen message attacks" defined by 
[GMRi]. Fiat and Shamir [FiS] have shown that the existence of an "ideal random 
function" as well as factoring assumption is sufficient to prove the security of the 
Fiat-Shamir signature scheme. However, their assumption, the existence of an 
ideal random function, can never be realized in the real world, and to realize the 
"pseudo-random function" [GGM] as a common function requires a tamper-free 
device. 

In this paper, we clarify a reasonable assumption to prove the security of the 
Fiat-Shamir type signature schemes. We introduce a new class of one-way hash 
functions, correlation-free one-way hash functions, and show that the existence 
of a "correlation-free one-way hash function", as well as a primitive assumption, 
is sufficient to prove the security of our schemes. Although the existence of a 
correlation-free one-way hash function seems to be a stronger assumption than 
those of universal one-way hash function, claw-free pair of functions and collision- 
free hash function, we highly believe that carefully designed practical one-way 
hash functions such as MD5 and SHA are correlation-free one-way hash functions 
with any number theoretic predicate. 

Definition 19. A family of correlation-free one-way hash functions with F is a 
set of hash functions, H — {H n ) [H n is a subset of H with security parameter 
n), with the following properties: 

- Poly-time indexing: Each function in H n has a unique n bit index, a n , 
associated with it: H„ = {h an | a n € {0,1}",/^ : {0, l} p(n) x {0,1}^ — 
{0, where p(n), s(n), and q(n) are polynomial in n. There is a proba- 
bilistic polynomial time algorithm, which, on input n, selects uniformly and 
randomly cr„ in {<r„}. 
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- Poly-time evaluation: There exists a polynomial time algorithm that (for 
all n > 1), upon input of an index <x n and an argument (x, ro) 6 {0, l} p (") x 
|0,1}'("), computes h„ n (x, m). 

- Correlation-freeness: Let F - {F n j F n = {/<$.}} be a poly-time index- 
ing (S n ) and poly-time evaluation predicate family such that fs n ■ {0, l} p (") 
x {0, x {0, l} r ( n ) — >■ {0, 1}, where r(n) is polynomial in n. Suppose that 
any family of boolean circuits, which, given <5 n , can compute x and (e^ , ) 
(i = 1, . . . ,t(n)) (t(n) is polynomial in n) with nonnegligible probability such 
that f 6n (x,ei,yi) = 1, must grow at a rate faster than any polynomial in 
n. Then, any family of boolean circuits, which, given <r n , and 6 n , can com- 
pute (x,e,y,m) with nonnegligible probability such that h an (x,m) = e and 
f$ n (x,e,y) — 1, must grow at a rate faster than any polynomial in n. 

- One-wayness: Any family of boolean circuits, which, given (x, m), can com- 
pute m' (m' ^ m) with nonnegligible probability such that ho n {x,m') — 
h<r a {x,rri), must grow at a rate faster than any polynomial in n. 

Theorem 20. Signature scheme 1 is existentially unforgeable against any adap- 
tive chosen message attacks if the discrete logarithm problem is intractable and 
h is a correlation-free one-way hash function with F = {/( 5llj2 ,p,u)}> where 
f(g x , 3 ?,p,v){z,e,(yi,y2)) — 1 if and only if x = gf'g^v* mod p holds. 

Sketch of Proof: 

Assume that there exists an adaptive chosen message attacker, P, to Signa- 
ture scheme 1. We also assume that the discrete logarithm problem is intractable. 
Then we will show a contradiction with the assumption that h is a correlation- 
free one-way hash function with F — {f(g x ,g 2lP ,v)}- 

First, assume that P can find (x,e,yi, y2 , e' , y[ , y' 2 ) (e ^ e') with nonnegli- 
gible probability such that x — g\ 1 gl 2 v e mod p and x = g^g^v 6 ' mod p, after 
adaptive chosen message attacks. Since, given (gi,g2,p)~ P can exactly simulate 
the valid signer by generating his/her secret key (S1.S2) and following signer's 
valid procedure, P can calculate the discrete logarithm a (#2 = <7? mod p) by 
the technique described in the proof of Theorem 6. This contradicts the in- 
tractability assumption of the discrete logarithm problem. Therefore, P can find 
2/1,2/2, e'. 1/1,1/2) ( e i 1 e ') with negligible probability. 

On the other hand, from the assumption that P is an adaptive chosen message 
attacker, P can find (x, e, 2/1, 2/0, m ) with nonnegligible probability such that 
h(x, m) — e and x = g\ 1 g2 2 v e mod p. This contradicts the assumption that h is 
a correlation-free hash function with F = {/( 3l , 32lP ,u)}- 

Thus, any attacker P cannot find a valid signature message {x,e,yi,y2,m) 
with nonnegligible probability after adaptive chosen message attacks. □ 

6.3 Two-Move and One-Move Identification Schemes 

In this subsection, we briefly introduce two-move and one-move identification 
schemes by using secure signature schemes above, which are almost as efficient 
as the proposed three-move identification schemes. 
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Two-move secure identification scheme can be trivially constructed using a 
secure (existentially unforgeable against any adaptive chosen message attacks) 
signature scheme as follows: First, verifier B sends a random message x to prover 
A, then A generates and sends A's signature of message x to B, finally B checks 
the validity of A's signature. 

We can easily convert a two-move identification scheme into a one-move 
identification by changing challenge message x into time-stamp t, which both 
A and B share. That is, first A sends A's signature of message t to B, then B 
checks it. 

6.4 Multi-Signature and Blind Signature 

The multi-signature and blind signature schemes of our proposed signature 
schemes (Signature schemes 1 to 5 and the variants) can be constructed. The 
multi-signature schemes are constructed in a manner similar to [Oh02], and the 
blind signature schemes are constructed based on the idea shown in [OkO]. 

Blind Signature for Signature Scheme 1 Here, we present only one example 
of the blind signature schemes, based on Signature scheme 1. The other blind 
signature schemes are constructed in the same way using the idea shown in 
[OkO]. (The blind signature scheme based on the Schnorr scheme is shown in 
Appendix B.) 

In the blind signature scheme, which was originally proposed by Chaum [Chaj 
based on the RSA scheme, a client, Bob, generates a blinded message b(m) from 
a message m, and sends 6(772) to a blind signer, Alice. She generates her signature 
s>i(6(m)) of 6(m), and sends it to Bob. He calculates Alice's signature s^(m) of 
message m from s(b(m)). Here, Alice has no information of m, and Bob has no 
information of Alice's secret key. 

We now describe our blind signature scheme based on Signature scheme 1. 
Alice's public key is {p,q,gi<g->it,v} and her secret key is (si.Ss), which are 
those of Signature scheme 1. 

Protocol: Blind signature based on Signature scheme 1 

Step 1 Alice (blind signer) picks random numbers n , r-> £ Z q , computes x — 

g^g? 2 mod p, and sends x to Bob (client). 
Step 2 Bob picks random numbers d, uj, «i S an d computes 

x ' = 3\ 1 g" 2 v~ d x mod p. e~ = h(x* , rn) , e = e* + d mod q. 

Bob sends e to Alice. Here, m is a message to be signed. 
Step 3 Alice computes (7/1,1/2) sucn that y x = r l + e$i mod 5, and y 2 = 

r - 2 + eso mod q, and sends (1/1,1/2) ^o Bob. 
Step 4 Bob computes y* = j/i + Ui mod q, y% — 2/2 + "2 m °d Q- 
£/*>*/;) is Alice's signature of message m. 

Note: e is distributed on Z q . while e* is distributed on Z 2 <- The difference is 
no problem in the blind signature scheme, since even an infinite power attacker 
cannot find any linkage between e and e" . 
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7 Performance 

This section compares the computation amount of our schemes against those of 
the previous practical schemes in the light of the required number of modular 
multiplications, and also compare the key and signature lengths. 

We assume that moduli p and q for our scheme 1, Schnorr are 512 bits and 
140 bits respectively, p and q for DSA are 512 bits and 160 bits, and the modulus 
n for our scheme 3, Guillou-Quisquater (GQ), Ohta-Okamoto (OO) and Feige- 
Fiat-Shamir (FFS) is 512 bits. The security parameter for the identification 
schemes is assumed to be 20, or e (the challenge from the verifier) is 20 bits. 
The security parameter for the signature schemes is assumed to be 128. or e (the 
output of the hash function of x and a message) is 128 bits, since the output size 
of many typical hash functions such as MD5 is 128 bits. We also assume that 
the parameters for Feige-Fiat-Shamir are k = \e\ and t = 1. 

Here, we estimate the performance of unsophisticated implementations, since 
the purpose of this comparison is to relatively compare some schemes with the 
same primitive problem (e.g., our scheme 1 and Schnorr), and many sophisticated 
techniques (e.g., [Mon, BGMW]) can be fairly evenly applied to the schemes with 
the same primitive problem. We assume the standard binary method and the 
extended binary method (4.6.3 ex.27 in [Kun]) for the modular exponentiation. 



Table 1. Comparison of Identification Schemes 





Proposed 
Scheme 1 


Schnorr 


Proposed 
Scheme S 


GQ 


OO 


FFS 


Provably secure? 


Yes 


No 


Yes 


No 


Yes 


Yes 


Primitive problem 


Disc. log. 


Disc. log. 


Fact. 


RSA 


Fact. 


Fact. 


ID-based variant 


Possible 


Possible 


Possible 


Possible 


Hard 


Possible 


System parameter size (bits) 


1676 


1164 


532 


20 


20 


0 


Public key size (bits) 


512 


512 


1024 


1024 


1024 


10240 


Secret key size (bits) 


280 


140 


532 


512 


512 


10240 


Communication amount (bits) 


812 


672 


1064 


1044 


1044 


1044 


Preprocessing (Prover) 
(# of 512-bit modular 
multiplications) 


245 


210 


35 


30 


30 


1 


On-line processing (Prover) 
(# of 512-bit modular 
multiplications) 


almost 0 


almost 0 


32 


31 


31 


10 


On-line Processing (Verifier) 
(# of 512-bit modular 
Multiplications) 


248 


210 


38 


35 


35 


11 
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Table 2. Comparison of Signature Schemes 





Proposed 
Scheme 1 


Schnorr 


DSA 


Proposed 
Scheme 3 


GQ 


00 


FFS 


Assumption 


Weak 


Strong 


Strong 


Weak 


Strong 


Weak 


Weak 


Primitive problem 


Disc.log. 


Disc.log. 


Disc.log. 


Fact. 


RSA 


Fact. 


Fact. 


ID-based variant 


Possible 


Possible 


Possible 


Possible 


Possible 


Hard 


Possible 


Multi-signature 


Possible 


Possible 


Hard 


Possible 


Possible 


Possible 


Possible 


Blind signature 


Possible 


Possible 


Hard 


Possible 


Possible 


Possible 


Possible 


System parameter 
size (bits) 


1676 


1164 


1164 


640 


128 


128 


0 


Public key size 
(bits) 


512 


512 


512 


1024 


1024 


1024 


66048 


Secret key size 
(bits) 


280 


140 


160 


640 


512 


512 


65536 


Signature size 
(bits) 


408 


268 


320 


768 


640 


640 


640 


Preprocessing 
for signing 
(# of 512-bit 
modular 
multiplications) 


245 


210 


237 


224 


192 


192 


1 


Signing 

(# of 512-bit 

modular 

multiplications) 


almost 0 


almost 0 


almost 0 


194 


193 


193 


65 


Verifying 
(# of 512-bit 
modular 
multiplications) 


261 


242 


277 


240 


224 


224 


66 
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Appendix A 

In this appendix, we introduce a variant of "no useful information transfer" 
[FFS] given by Ohta and Okamoto [OhOl], called "no transferable information 
with (sharp threshold) security level". 



Definition 21. An identification scheme (A, R) is secure with security level p if 
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1. [A, B) succeeds with overwhelming probability. 

2. There is no coalition of A^B with the property that, after a polynomial num- 
ber of executions of (A, B) and relaying a transcript of the communication 
to A, it is possible to execute [A,B) with c ■ p probability of success, where 
c = (1 -I- l/|n| d ) and d is an arbitrary constant. The probability is taken 
over the distribution of the public key and the secret key as well as the coin 
tosses of A, B, A, and B, up to the time of the attempted impersonation. 

Definition 22. An identification scheme (A,B) is secure with sharp threshold 
secuniy level p if 

1. (A, B) is secure with security level p. 

2. There exists A such that it is possible to execute (A, B) with p probability 
of success. 

Appendix B 

In this appendix, we introduce the identity-based variant and blind signature 
sceheme of the Schnorr scheme. 

B.l Identity-Based Variant of the Schnorr scheme 

A trusted center T (or key authentication center) generates a public key 
(p,q,g,t,vr) and its secret key sj, and publishes the public key as a system 
parameter. T generates T's digital signature, (e A ,y A ), of A's identity, Id A - T 
gives A A's secret key s A and e A , where s A = q — y A . Then .4 generates A's 
public key v A = g~' A mod p from the secrete key given by T. 

In this identity-based identification protocol, A first sends (Id A , v A , e A ) to 
verifier B along with x B checks the validity of Id A and v A by checking whether 
e A = h((v A v^. A mod p), Id A ) holds or not. If the check passes, the remainig 
protocol is the same as the Schnorr scheme. 

B.2 Blind Signature of the Schnorr scheme 

Alice's public key is (p,q, g,t,v) and her secret key is s. 

Protocol: Blind signature based on the Schnorr scheme 
Step 1 Alice (blind signer) picks random number r £ Z q , computes x = 

<f mod p, and sends x to Bob (client). 
Step 2 Bob picks random numbers d, u £ Z q , computes 

x' — g u v~ d x mod p, e" — h(x* , m), e — e*+dmodq. 

Bob sends e to Alice. Here, m is a message to be signed. 
Step 3 Alice computes y such that y = r + es mod q, and sends y to Bob. 
Step 4 Bob computes y" = y + u mod q. 

( e * <y") is Alice's signature of message m. 
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Abstract. We propose a practical digital signature scheme based on the 
elliptic curve modulo n, where n = p 2 g such that p and q are large secret 
primes. The signature generation speed of our scheme is more than 10 
times faster than that of the RSA scheme. Moreover, a pre-processing 
technique can significantly increase the signature generation speed. 

1 Introduction 

The use of D^gltal signatures is being increasingly demanded to ensure the in- 
tegrity and authenticity of digital messages and documents. Applications include 
electronic mail, office automation, and electronic funds transfer. 

Many digital signature schemes have been developed since Dime and Hell- 
man's seminal paper on public key cryptosystems [DH] was presented in 1976. 
Among these schemes, the RSA scheme [RSA] appears to be very promising from 
the practical viewpoint. However, the RSA scheme has the disadvantage of low 
processing speed, and is somewhat insecure against low multiplier attacks [Ha] 
and attacks using the hornomorphic property [EH]. Although effective counter- 
measures are known against these attacks, the existence of these attacks may 
imply some implicit weaknesses in the RSA scheme. 

The security of the RSA scheme can be increased with the scheme based 
on an elliptic curve over a ring Z n [KMOV]. This variant (the KMOV scheme) 
seems to be more secure than the original RSA scheme against some attacks 
such as low multiplier attacks, although it is less efficient. 

In this paper, we propose a new digital signature scheme based on an elliptic 
curve over a ring Z n , that is more efficient than the RSA scheme as well as the 
KMOV scheme. We construct the new scheme on an elliptic curve over a ring 
using the idea of Okamoto's scheme [Ok]. The new scheme seems to be more 
secure than Okamoto's scheme against low degree attacks (or lattice attacks) 
and seems to be more secure than the RSA scheme against the hornomorphic 
attacks. That is, our scheme with parameter k = 2, the double version, seems 
to be secure, while Okamoto's scheme with k = 2, the quadratic version, has 
been broken [BD, VGT]. Our scheme has no hornomorphic property since the 
relationship between a message and its signature is randomized (or our signature 
is verified by an inequality not by an equation), so no hornomorphic attack seems 
to apply to our scheme. This implies a possibility that our scheme may still be 
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secure even if security weaknesses in Okamoto's or RSA scheme are found in the 
future. 

The pre-processing technique (off-line processing) is possible with our scheme, 
as is true for Okamoto's scheme and DSA proposed by NIST as DSS (the Digital 
Signature Standard) [NIST]. This dramatically increases the signature genera- 
tion (on-line processing) speed of our scheme. Thus, signature generation with 
our scheme is effectively instantaneous even if implemented on a smart card. 

2 Notations 

Z n denotes the set of numbers between 0 and n — 1, and Z* denotes the set 
of numbers between 0 and n — 1 which are relatively prime to n. \M~\ denotes 
the least integer which is larger than or equal to M. x = y (mod n) denotes 
that n divides x — y. f(x) mod n denotes an integer such that n divides f(x) — 
(f(x) mod n) and f(x) mod n £ Z n . x/y mod n denotes an integer such that n 
divides x — y(x/y mod n) and x/y mod n £ Z n . \X\ denotes [log 2 X\ + 1, or the 
bit size of X. 

3 Elliptic Curves over a Field and a Ring 

Assume that K is the finite prime field GF(p) with p ^ 2, 3. An elliptic curve 
over K (in affine coordinates), denoted by C p , is the set of all solutions (x,y) £ 
A' x A' to the equation 



where a, b £ K, and 4a 3 + 27b 2 £ 0 mod p, together with a special point O, 
called the point at infinity. Here, the group law operation [Kol] (usually we 
call it the addition, and use the notation +) is defined over the points on C p , 
P( x i>yi),Q{x2,y2), and fi(x 3 ,y3) as follows: 



C p : y 2 = x 2 + ax + b mod p, 



(1) 




over Z p 



(2) 



• 2P(x l ,y 1 ) = R(x 3 ,y 3 ) 




over Z p 




Let p and q be primes and n — p 2 q. Consider an elliptic curve modulo n: C n . 
n« addition operation on C„ is analogous to the usual one over GF(p), although 
S» 13 not a group. 
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4 Okamoto's Digital Signature Scheme 

4.1 Procedures 

• Keys: 

o Secret key: large prime numbers p, q (p > q). 
o Public key: a positive integer n = p 2 q. 

• Signature generation: 

o The signature s of a message m is computed by the originator as follows: 

* Pick a random number t € Z* q . 

* Compute s such that 

h{m) — (t k mod n) 



pq 

u = w/(kt k ~ 1 ) mod p, 
s — t + upq , 

where h is a one-way hash function (h{m) 6 Z n for any positive 
integer m), k is an integer (4 < k). 
• Signature verification: 

o The signature message (s,m) is considered valid if the following verifi- 
cation inequality holds. 



h(m) < s k mod n < h(m) + 2 



2-|n|/3 



5 Proposed Digital Signature Scheme Based on Elliptic 
Curves over a Ring 

Before describing our new proposed scheme, we introduce two extensions of 
Okamoto's scheme. The first one is the extension of the function type; from the 
polynomial function to the rational function. The other extension is the number 
of variables; from the one variable function to the multi-variable function. 



5.1 Mathematical Preparations 

The Taylor series expansion and the generalized Taylor series expansion for a 
multi- variable function are essential to prove the correctness of our schemes. 

Proposition 1. (The Taylor expansion) 

When function f is a one-variable infinitely differentiable function, 

/(a + x) = /(a) + ^(o)«+^x» + ... + ^) a :' + ..., 

where a is not a singular point, x is less than the convergence radii, and 
denotes l-th derived function of f . 
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Proposition 2. (The generalized Taylor expansion) 

When function f is a t-vaiiable infinitely differentiate function, 

f(ai +xi,a2 + x 2 ,...,a t + xt} = 
f{ai,a 2 , . . . , aj) + [xi~ — -| + x t —)f{a 1 ,a 2 , ...,a t ) + 

IS d 
"• + 7i( Xl ^ — + • + x fZ~ )'/(ai,a2, ■■• ,a t ) + ■ ■■ , 

where (ai, a 2 , . . . , a ( ) is not a singu/ar point, (xi , x 2 , . . . , x t ) is iess than the 
convergence radii, and (xi^|^ + • • • + x t -^)' f(ai,a 2l • • • denotes the value 
a.t(a 1 ,a 2 ,...,a t )of(x 1 -^ + -.- + Xf^)'f(x 1 ,x 2 , . . . ,x t ). 

5.2 Extension Using a Rational Function 

In this section, we show an extension of Okamoto's scheme, in which a rational 
function / is used in place of the polynomial function. 

5.2.1 Procedures 

• Keys: 

o Secret key: large prime numbers p, q (p > q). 
o Public key: a positive integer n — p-q. 

a rational function /. 

• Signature generation: 

o The signature s of a message m is computed by an originator as follows: 

* Pick a random number < € Z" If one of the following cases oc- 
curs, pick another random number t E Z* q : (1) f(t) mod p = oo, 
(2) f(t) mod q = oo, (3) /(f) mod p = 0, (4) /(f) mod q - 0, (5) 
/'(f) mod p = 0. Here, / is a rational function, or there exist poly- 
nomial functions, a and 6, satisfying / = a/b. f is the derived func- 
tion of /, or f\x) — Note that this check is not necessary in 
practice, since these cases occur with negligible probability. 

* Compute 5 such that 

h(m) — (/(f) mod n) 
pq 

u — wj /'(£) mod p, 
s = t + upq. 

Here, h is a one-way hash function (h(m) G Z n for any positive 
integer m). Functions h and / can be fixed in the system. 

• Signature verification: 

o The signature message (s,m) is considered valid if the following verifi- 
cation inequality holds. 

h(m) < f{s) mod n < h(m) + 2 2 ^ 3 . 
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5.2.2 Correctness 



Theorem 3. Let 0 < h(m) < n — pq, and s be the signature of m, which is 
generated through the above-described procedure. Then, 

h(m) < f(s) mod n < h(m) + pq. 

Proof. First, let f(x) = f(x) (mod n) for all x € Z n and all singular points of 
f(x) do not lie in the interval [0, n). For any rational function f(x), f(x) always 
exists. This is because: Let a,- 6 [0,n) (i = l,...,k) be the singular points of 

f{x). Then f{x) = (j _ ai)(r _ q C ff . (l _ at)t(f) ■ Let f(x) = (r _ 5l)(x _ff.( T _ at )b{x) , 
where a,- = a t - + n (i = 1, . . . , k). Then, f(x) satisfies the above conditions. 

Since f(x) is an analytic function and there exists no singular point in interval 
[0, n), the Taylor expansion of f(t + v) around t converges for any t G [0, n) and 
t + v £ [0, n). That is, 



f(t + v) = f(t) + p\t)v + 



for any t 6 [0, n) and t + v £ [0, ra). Hence, 



/(t + upq) mod n = /"(<) + f (l \i)upq + (upq) 



+ ■ ■ ■) mod 



= f(t) +f (1) (t)upq mod n, 



t(m)-(/(l)modn) 



we obtain 



for any t £ Z n and <+ypg G Z n . From the definition of f(x), f(t+upq) mod n — 
f(t + upq) mod n. Therefore, 

f(t + upq) mod n = f(t) + f^ l )(t)upq mod n. 
Furthermore from the equation w — p 1 -{t)u mod p, we have 

f(t + upq) mod rc = /(t) + wpq mod n. 
On the other hand, from the definition w 

wpq = h(m) — (f{i) mod n) + 7, 
where 0 < 7 < pq. Therefore we have the following equation: 
f(t+upq) mod n = f(t) + h(m) — (f(t) mod n) + y modn = h(m)+y mod n. 
Since 0 < h(m) < n — pq, 

h(m) < h(m) + 7 mod n = h(m) + 7 < h(m) + pq. 
Hence we obtain 



h(m) < f(s) mod n < h(m) + pq, 



where s = t + upq. 
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5.3 Extension Using a Multi- Variable Function 

In this section, we present another extension of Okamoto's scheme, in which a 
multi-variable rational function / takes the place of the single- variable function. 

5.3.1 Procedures 

Let fj (j = 1, . . . , J) be an /-variable rational function and / denote (fi, ■ ■ ■ ,fj)- 
Let x — {xi,...,xj), y = (y lt . . . ,yj), where x< 6 Z n (i = 1, ...,/), and 
Vj € Z n (j = 1, . . . , J). We write y = f(x) as y, =/,(*!,..., xj) (j = 1, . . . , J). 

In this subsection, we show a signature scheme that uses / only once. How- 
ever, by repeating the following procedure, we can easily construct a signature 
scheme based on a more complicated multi- variable rational function. In the 
next section, we will show an example in which the basic procedure is repeat- 
edly executed. 

For explanation simplicity, we suppose that I = J . 



o Secret key: large prime numbers p, q (p > q). 
o Public key: a positive integer n = p 2 q. 

a multi-variable function /. 
• Signature generation: 

o The signature a = (s 1( . . . , sj) («,- £ Z* ; i = 1, . . . , J) of a message m is 
computed by originator A as follows: 
* Pick a random number vector * = (f i, . . . ,tj) (ti € Z* q ;i = !,...,/). 
If one of the following cases occurs, pick another random number 
vector i: for j £ {1,...,/}, (1) f/(t) mod p = oo, (2) fj(t) mod 
q = oo, (3) fj(t) mod p = 0, (4) fj(t) mod q = 0, (5) I x I matrix 
Af(t) mod p is not regular. Here, fj is a /-variable rational function, 



Note that this check is not necessary in practice, since these cases 
occur with negligible probability. 
* Compute 3 such that 



• Keys: 



and 



dx, ■ • ■ dXi 



Af(t) mod p = 



mod p. 



\ dx x • • • tlx I I 



(mi,..., mi) - h(rn), (m, £ Z n ;j = 1, . . . , 





mod p 
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Si = U + Uipq ( i - 1 



.,...,/) 



s = (si, . . . , si) 

Here, h is a one-way hash function. Functions h and / can be fixed 
in the system. 



• Signature verification: 

o The signature message (s,m) is considered valid if the following verifi- 
cation inequality holds for all j = 1, ... , /, 



5.3.2 Correctness 

Theorem 4. Let 0 < mj < n — pq for all j = 1 , . . . , / , and s be the signature of 
m, which is generated through the above-described procedure. Then, 



This theorem can be proven in a manner similar to Theorem 3, using the 
generalized Taylor expansion. 

5.4 A New scheme Based on Elliptic Curve over Z n 

This section introduces our new scheme based on an elliptic curve over Z n . 
The correctness of the scheme is given as a combined specific example of two 
previous extensions of Okamoto's scheme; the new scheme is the two-variable 
rational function version. 

5.4.1 Elliptic Curve and Some Definitions 

We consider an elliptic curve C n : 



As described in Section 3, the addition operation is defined over the points on 
C n , P(xi,yi), Q{xi,yi), and R(x 3 ,y 3 ), by equations (2) and (3) over Z n . 
Here, let / = (/„ f y ), g = (g x ,g y ) such that 



mj < fj(s) mod n < m } ■+ 2 2 ^' 3 , 



where (m\ , . . . , m/) - h(m). 



mj < fj(s) mod n < m : + pq. 



y 2 — x 3 + ax + b over Z n . 




(2g±i) (!!-/,(!,»)) 



- 2a; i 



( 



0x(*l,J/l,*2,!/2)= (S) 2 

9y(xuyuX2 : y 2 ) = -yi + 




— X \ — X 2 
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Then we can express 

2P = f(P) mod n, 

P + Q - g(P, Q) mod n. 

Therefore, for an integer k, we can calculate R — kP over Z n by using an 
addition chain corresponding to fc, where P and R are points on C n . 
Let 

/ 9^ \ 

a,, _ I Sr, 9yi 3^2 9ya 1 

Ay - 8gy a 3y a gy a<, y • 

V 9y! ax 2 9y 2 / 

Next, let A = (.4 X , A 2 ), 5 = {B U B 2 ), C = (Ci,C 2 ) such that 
Ai=(a x ,a y ), B 1 =(6 I ,6 y ), C 1 = (c r .c y ), 



a 21 a 22 / ' * 1^*21 ^22 / ' " \C2l c 22 

where a x , a y , b x , b y , c r , c y £ Z" n , and , 6 i; - , c i; - £ Z* («,j 6 {1,2}). 

Definition 5. (Functions F and G) 

Let F be a function such that F(A) — (C'^Co), where 

Ci = /(Ai) mod rc, and G 2 = Z\/(_4i) • .4 2 mod p. 

Let G be another function such that G(A.B) = (Ci,C 2 ), where 

Gi=3(A t ,5i) mod n, and C 2 = Ag{A x , Bi) ■ [A 2 , B 2 ] mod p, 

where [A 2 , 5 2 ] denotes the 4 x 2 matrix in which i-th (1st and 2nd) row of A 2 is 
the i-th (1st and 2nd) row and the i-th (1st and 2nd) row of B 2 is the (i + 2)-nd 
(3rd and 4th) row. 



5.4.2 Procedures 

• Keys: 

o Secret key: large prime numbers p,q (p > q). 
o Public key: a positive integer n = p 2 q. 

a parameter (of the curve) a. 

• Signature generation: 

o Signature S = (s x ,s y ) of a message m is computed by the originator as 
follows: 
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* Pick a random number vector T = (i x ,t y ) (t x ,t y € Z* pq ). If one of 
the following cases occurs during executing the following signature 
generation procedure, return to this stage and pick another random 
number vector t: for i 6 {x,y}, (1) (kT over Z„),- modp = oo, (2) 
(kT over Z n ~)i mod q — oo, (3) (kT over Z n ) t mod p — 0, (4) (kT 
over Z n )t modq — 0, (5) 2 x 2 matrix -D(T) mod p is not regular, 
where &T over Z„ means k times point of T by the addition formula 
on C n , and (-) r (or ( ) y ) means the ^-coordinate (or ^-coordinate) of 
point (•). (Note that the calculation, kT over Z n , here is formally 
executed by the addition formula, and that T is not necessary to be 
on Cn.) Note that this check is not necessary in practice, since these 
cases occur with negligible probability. 

* Compute 5 such that 



Next 2x2 matrix D(T, k) is computed from T and k by Algorithm 
D below. Then 



Integer k and functions h can be fixed in the system. Note that the 
parameter a in the public key can be fixed in the system. Therefore 
the real public key for each user is considered to be an only n. 
* Note that kT over Z n and D(T,k)~ l can be computed as pre- 
processing works since they are independent of a message m. 

Algorithm D 



M — (m x ,m,j) = h(m), (m x ,m y £ Z„) 
where, h is a one-way hash function(m r , m y £ Z n ). 

— \ m * ~ i^T over Z n )x 





Si = ti + Uipq (i = x,y) 

^ — (&X : $y ) 



Input: 
Output 
Step 1: 



T,k 



2x2 matrix D(T,k), whose element is in Z*. 
Set A — (Ai,A-2) such that 




Set / <- 1 and t *- 0. 

The bit expression of k is "6^6^-1 • ■ • bi ." 

(The initial setting for B — (B\,B-i) is not necessary, 

since the value of B is set in Step 2.) 
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Step 2: If b, - 1 and t = 0, then B <— A and t — 1. 

If 6, = 1 and f = 1, then B *- G(/l, 5). 
Step 3: If / = L, then output 5 2 as D(T, k). 

Otherwise / «- I + 1, and A <- F(,4). 
Return to Step 2. 
Note that the value of B\ that corresponds to the output value of 
Bi or D(T,k) is equivalent to kT over Z n . 
• Signature verification: 

o The signature message (S, m) is considered valid if the following verifi- 
cation inequalities hold 

m x < (kS over Z n ) x < m x + 2 2| "l /3 , 

m y < {kS over Z n \ < m y + 2 2|rl|/3 , 

where (m x ,m y ) = /i(m). Note that the first parameter a of C n is fixed 
and given for the calculation kS over Z n , but that the other parameter 6 
of C n is not necessary for the calculation and is determined by the value 
5 = (s x , s y ) such that 

b = Sy — s x - as x over Z n . 



6 Security Consideration 

The security of our scheme depends on the difficulty of factoring n = p 2 q. Al- 
though it has not been proven that our scheme is as secure as factoring, our 
scheme seems to be more secure than Okamoto's scheme, against which no at- 
tack is known so far when its degree is greater than three. The quadratic version 
of Okamoto's scheme was broken by Brickell et.al. [BD], and this attack was 
generalized by Vallee et.al. [VGT] using the lattice algorithm. Their attacks es- 
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sentially use and generalize the approximation property that 

0(N 1 ^ 2 ) < 0(N 2 / 3 ). However, this approximation technique does not appear 
applicable to our scheme even if it is the double version (it = 2), since the rational 
function mod n is essentially used in our scheme. Although it is not clear that 
factoring n = p 2 q is as hard as factoring n = pq, no attack has been reported so 
far, that is specifically effective for a number with the square of a prime. 



7 Performance 

We have estimated the amount of work needed to generate a signature with our 
scheme and compare it with that of the RSA scheme. We assume that n(= p 2 q) 
is 96 bytes and k = 2 for our scheme, and n'(= p'q') is 64 bytes for RSA. 

Signature generation with the new scheme requires 4 modulo-n multiplica- 
tions, 1 modulo-n division, 17 modulo-p multiplications, and 1 modulo-p division. 
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So, in total, it is almost equivalent to (4 -f 17/9) + (1 + l/9)c modulo-n multi- 
plications, which is less than (6 + 1.2c) modulo-n multiplications. Here, c is the 
ratio of the amount of work for modulo-n division to that for modulo-n mul- 
tiplication, and is considered to be less than 10 from our implementation data 
based on algorithm L (p. 329) in [Kn]. The RSA scheme requires 750 modulo-n' 
multiplications. 

As the computational complexity of one modulo-n multiplication is almost 
equivalent to that of 2.25 (=1.5 2 ) modulo-n' multiplications, signature genera- 
tion with our scheme is considered to require less than 40 modulo-n' multiplica- 
tions. 

The signature generation speed of our new scheme is more than 10 times 
faster than that of the RSA scheme. If the Chinese Remainder Theorem tech- 
nique is applied to the RSA scheme, the amount of work is theoretically reduced 
by 75%, while the work of our scheme is reduced by about 50%. In addition, the 
m-ary exponentiation and Montgomery arithmetic techniques can reduce the 
amount of work needed by the RSA scheme, however, they can also applied to 
our scheme. Therefore our new scheme is still at least several times faster than 
the RSA scheme. 

Moreover, the pre-processing technique (off-line processing) is possible with 
our scheme, as is true for Okamoto's scheme [FOM] and DSA. In the pre- 
processing phase, some computations that do not depend on the message are 
executed. This dramatically increases the signature generation (on-line process- 
ing) speed of our scheme. Thus, signature generation with our scheme is effec- 
tively instantaneous even if implemented on a smart card, since the amount of 
work needed for signature generation is less than one modulo-n multiplication. 

8 Conclusion 

We have proposed a new practical digital signature scheme based on elliptic 
curves over a ring. To construct this scheme, we introduced two extensions of 
Okamoto's scheme. The signature generation speed of our scheme is more than 10 
times faster than that of the RSA scheme. Moreover, a pre-processing technique 
can significantly increase the signature generation speed. 
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Discrete Log Cryptosystems 
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Abstract. Using a number field sieve, discrete logarithms modulo primes 
of special forms can be found faster than standard primes. This has raised 
concerns about, trapdoors in discrete log cryptosystems, such as the Dig- 
ital Signature Standard. This paper discusses the practical impact of 
these trapdoors, and how to avoid them. 



1 Introduction 

The National Institute of Standards and Technology (NTST) recently announced 
a proposal for a federal digital signature standard, DSS [21]. This proposal gives 
an algorithm for electronically signing documents, to guarantee the integrity of 
the message and the identity of the sender. The Digital Signature Algorithm 
(DSA) given in the proposal is based on the difficulty of solving discrete log- 
arithms modulo large primes. It has already excited a great deal of discussion 
regarding its efficiency and security. 

In the DSA, the public key consists of a prime p of 512 bits, a prime q 
dividing p - 1 of 160 bits, and a number g which is a {{p - l)/q)th power mod 
p. The private key is a number x, and y = g x is also made public. Then to sign 
a message m, the sender calculates 

r = (g k mod p) mod q 

and 

s = (k~ ] (fl(m) + //') mod q. 

Here H is any one-way hash function, m is the message, and k is a. random 
number less than q. To authenticate a message, a recipient computes: 

w — a~ 1 mod //. 
u i — (//(m)a') mod (/, 
u 2 = (rw) mod q. 
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Diego, CA 92121 
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v = (g u> y u ~ mod p) mod q. 

The signature is correct if v — r. 

The only known way to break this system is to find x from g and y (i.e. find 
the discrete logarithm log y mod p). Several other schemes (e.g. [3], [6], [18]) 
also depend on the difficulty of discrete logarithms. Subexponential algorithms 
are known for finding discrete logarithms modulo large primes, but the largest 
prime for which the problem has been solved is 224 bits in length, by LaMacchia 
and Odlyzko [9], using the Gaussian integer method of Coppersmith, Odlyzko 
and Schroppel [5]. 

In [7], an algorithm is given for finding discrete logarithms using a number 
field sieve, which is asymptotically faster than other known methods. The general 
number field sieve is impractical, but a variant of the algorithm for primes of 
special forms is practical. The idea of using the number field sieve to make 
trapdoor primes is mentioned in []], page 50. 

In Sect. '2. we give a brief description of how the special number field sieve for 
discrete logarithms works. Estimates for the time to break the DSS with regular 
versus various trapdoor primes are given in Sect. 3. The rest of the paper deals 
with how to detect trapdoors, how to construct trapdoors to avoid detection, 
and how one or more people can choose prunes for which the probability of a 
trapdoor existing is negligible. 

2 The Number Field Sieve 

Here we give a short presentation of the special number field sieve. For a more 
complete description of the algorithm, and the heuristic assumptions involved, 
see [7]. 

Let p be a prime and / be an irreducible moiuc polynomial of degree k with 
reasonably small coefficients, such that for some integers A' and Y near p l l k we 
have Y k f(X/Y) = 0 (mod p). Let, a e C denote a root of /. and K = <Q(a). 
For constructing trapdoor primes, it is convenient to pick / so that Or — 2[a] 
is a unique factorization domain. 

We may define a homomorphism from to TLjplL by sending a to 

X/Y mod p, so that for any integers c and (/, 

cY + dX = Y{c + dX/Y) = V>(c + da) (mod p). 

The factor base B will consist of rational primes less than a bound B (Bq)> 
first-degree primes in Ok with norm less than B (Ba), a fundamental set of 
units in Ok , and V. Calculating the primes and units for t he field is not difficult 
when / is. say. - 2 (see [14]), but will be more difficult for polynomials with 
larger coefficients. We will discuss this problem in the next section. 

Call a rational or algebraic integer smooth if its prime factors are all in the 
factor base. We will need to find many pairs of cop rime integers c, d such that. 
cY + dX and c + do are both smooth. This can be accomplished efficiently by 
sieving cY + dX and the norm 

\X[c + da)\ = \(-d) k f{-c/d)\ 
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for fixed c and large range of d. The smoothness of c + da and <V(c + da) are 
related by the following (see [7], Proposition 2): 

Theorem 1. // c and d are relatively prime and r 1 \\ N{c + da) for a prune r, 
then (r, a - c r )' \\ (c + da) in Ok, for c r ~ -c/d (mod r). 

We will choose g, the base for the discrete logarithm to be smooth and a 
primitive root modulo p. Note that this cannot, be the same as the base g for 
the DSA, since that g is a (p - \)/qth power. Thus, the first step in breaking 
the DSS would be to find the log of its base. 

The precomputation step involves sieving through small c and d, looking for 
pairs with cY + dX and N(c + da) both smooth. Each hit gives us an equation 
involving logarithms of the factor base. Suppose that we find a c and d for which 
both are smooth, say 

cY + dX = Yl 

and 

\N(c^da)\ = Yl ^' (cd) . 

for v.,, w, £ Z> 0 Then 

(r+da) = Y[ s v '^' 

by Theorem 1. Since (0/ v is a I'FD. this equation involving ideals can be replaced 
with one involving algebraic integers, by replacing each s m the above equation 
by a generator for the ideal. Then c + da divided by the generators is a unit, 
which can be explicitly computed in terms of a fundamental set of units, using 
Theorem 5 of [7]. 

From this, we obtain: 

(cY + dX)<p(c + da)' 1 = Yl s u ' ic - d) = 1 (mod p), 

which gives us an equation for the logs of the factor base: 
^ u s {c,d) log a .s = 0 (mod p - 1). 

Once we have more than \B\ hits, we solve the resulting matrix equation 
over Z/(p- 1)2 using structured Gaussian elimination to reduce the size of the 
matrix, and then solving a smaller, dense matrix using the conjugate gradient 
method or Wiedemann's algorithm (see [10]). This completes the precomputa- 
tion. 

To find an individual logarithm, we reduce the problem to finding the logs 
of medium-sized primes. Choose random values of s and attempt to factor g'y 
(mod p) using the elliptic curve method (ECM) until one is found for which 

.</'*.</ = 'M-2 ■ ' ' 'h {mod p). 



69 



with each q,- is less than a bound Q. (This can be improved as in [9], by finding 
Zi, z-2 — O (y/p) such that if y = Zi/ z 2 (mod p), and testing whether z\ and 
are both Q-smooth.) 

For each </,-, we will sieve c and ri for which <n\(cY + </A'), say fixing d and 
taking c = cq + eq,-, to find one value for which (cY + dX)/qi and jV(c + da) are 
both smooth. Once this happens we are done, since from the precomputation we 
know the logs of the whole factor base. 

The choices for the size of the factor base and q,-'s depend on how time is 
to be divided between the two stages. Enlarging the factor base reduces the 
time needed to find individual logarithms, but at the cost of increasing the 
precomputation time. Let 

L n [v;c} = exp{(c + o(]))(\ogny(\og\ogn) l - v }, 

for n — oo. Assuming some reasonable heuristics (see [7]), the optimal choice of 
parameters is 



k - 



10 



1/5 ( lo S/' 



log log p 



1/5 



and 



D = A,J2/5;M/125) 1/5 ], 



Q = Z: f ,,;:J/o;(l/lU0) i/5 ]. 



which results in both the precomputation and individual logarithms taking ex- 
pected time 

I9S\ 1/5 



/ 12S\ ' 

Lp[2/ ^ [m) 1-00475]. 



If many instances are to be done for one p. more time coidd be spent on 
the precomputation by taking a larger factor base. For p > ( 128/ 125) if we 
spend [2/5;//] time on the precomputation, each logarithm can be found in 
time 

/ U'S ^ "''1 

The Gaussian integer method is a special number field sieve with k = 2 and 
K a complex quadratic field. For any c > 1, the Gaussian integer method can find 
logarithms in time L p [l/2; l/(2c)] if L p [l/2;c] is spent on the precomputation. 
Even for fairly small primes with good polynomials, the special number field 
sieve is faster than the Gaussian integer method. 

For primes which cannot ho represented by good polynomials, a similar pro- 
cedure called the general number field sieve can be done. The difference is that 
the polynomial / will have large coefficients, so operations in the resulting field 
will be impractical. To avoid them, the equations must be solved over the ratio- 
nal instead of modulo p — 1, to eliminate ideals and units. 

The better asymptotic time for the general number field sieve comes from 
using different fields for finding individual logarithms. Instead of sieving through 
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c and c/such that qj\(cY + dX), we search through polynomials for which qi\<p(a). 
This allows us to take Q as big as A' and Y , which asymptotically speeds up the 
algorithm. The time for the general number field sieve is 

I p [l/3;3 2/3 ] « £ p [l/3;2.08]. 

Oliver Schirokauer [17] lias developed a method to avoid solving equations over 
the rationals, so that the time can be improved to I p [l/3, 1.902]. The larger 
constant and o(l) terms make the general number field sieve impractical for 
numbers we are interested in. 

3 Complexity Estimates 

There are four parts of the algorithm which dominate the timing estimates. For 
the precomputation, there is the sieve to gather equations, and then the linear 
algebra modulo p — 1 to solve the equations. For finding individual logarithms, 
the medium-sized primes are found by repealed trials of the ECM, and then 
another sieve must he done for each '/,. 

How much time is devoted to each part depends on the choice of parameters: 
the degree of the polynomial /. the polynomial chosen (and the resulting field), 
the size of the factor base, and the size of a medium-sized prime. 

For k = 2, we can take / = £ - -r i\ for r a small positive integer for which 
— r is a quadratic residue modulo p. Then the resulting field is just a complex 
quadratic field flJ(V^r), and we have the Gaussian integer method. This can be 
applied to any prime, but is impractical for 512-bit primes. Breaking the DSS 
using the Gaussian integer method using B = 50,000,1)00 would require sieving 
10 20 numbers. Even if this could be accomplished, the resulting matrix would 
have over 5,000,000 columns, and the linear algebra problem would be a major 
hurdle. 

The numbers in Table 1 show the difficulty of finding discrete logarithms for 
512-bit primes using the special number field sieve with polynomials of degree 
2-5 with small coefficients. They assume that the large prime variation described 
in [14] is being used. They ate intended as rough estimates only, but serve to give 
an idea of the time required. For comparison, the factorization of Fg required 
sieving about 10 1 ' 1 numbers, and solving a matrix with 190 ,203 columns modulo 
2 [14]. For larger k, X and V are smaller, so a smaller factor base can be used, 
speeding the precomputation. But then for individual logarithms N(c+da) ~ Q k 
is larger, so we need to take Q smaller and do more ECM trials. 

Table 1 indicates that the ideal polynomial for a trapdoor would have degree 
four. Its coefficients should be small, to keep down the size of N{c + da). The 
field generated by a root of the polynomial should have small discriminant and 
regulator, class number one and index one, so that field operations can be done 
efficiently. If the polynomial has four complex roots, then the unit group will 
have rank one. 

For example, the polynomial + x + 1 satisfies all the above conditions. The 
problem is that the polynomial could only be used with primes p for which there 
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Table 1. Statistics for 51_'-bit prunes with good polynomials. 



k 


2 


3 


4 




D 


5 x 10' 


o x 10 6 


3 x 10 s 


2 x 10 6 


sieve range 


10 20 


2 x 10 !6 


2 x 10 14 


10 14 


matrix size 


5, 600, 000 


650, 000 


400, 000 


280, 000 


Q 


lO 20 


10 19 


10 15 


10" 


# ECM trials 


29,000 


78,000 


2 x 10 7 


2 x 10 9 


second sieve 


2.5 x 10 14 


2.4 x 10 1S 


1.5 x 10 14 


3 x 10 14 



exist X, V % p 1 / 4 such that, A' 4 + X V' 3 + Y' 4 = 0 (mod p). This is a thin set of 
primes, which can easily be detected (see the next, section). 

For polynomials with larger coefficients, the special number field sieve is more 
complicated. The sieving stage takes slightly longer, since the norms being tested 
for smoothness are larger. For polynomials with coefficients of, say. up to 100 in 
absolute value, the sieving range rnusl be increased by roughly a factor often. 

Another difficulty is dealing with a field oflarger discriminant. The problem is 
finding generators for the unit group and [Mime ideals in the factor ba.se. In [13], 
these are found by searching through algebraic integers of the form 52t=o^ l » a '' 
for a a generator of A* and small values of h. t . For fields generated by polynomials 
with larger coefficients, this will be impractical. 

There have been several papers on efficient algorithms to find units and 
algebraic integers of given norms in general number fields, (see [4], [16]). The 
computations are involved, but, they only need to be done once for a given /. 

The matrix equal ion resulting from the sieving may be solved using intelligent 
Gaussian elimination to greatly reduce the .size of the matrix, and then the 
conjugate gradient algorithm to solve the reduced equation. In [10] these methods 
were used to solve matrices with up to 96.321 columns. 

4 Trapdoor Primes and Polynomials 

From Table 1, we see that some 5 12-bit primes may not be safe, but general 
ones (at, least for the moment) are. We want to ensure that for a given prime p 
there is a no polynomial / which can be used for the special number field sieve. 
Currently, the only way to check for this is to check one polynomial at a time. 

Let p be a 512-bit prime and / be a polynomial of degree k > 3. We will 
say that A and Y are a trapdoor for p and / if they are both less than (say) 
1,000 p l/k in absolute value, and )' k f(X/)") = 0 (mod p). 

Theorem 2, // a trapdoor X . Y exists for p and f. then for a root c p off mod p, 
(A',Y) is a short, vector in the lattice C = ((p, 0), (c p , 1)). 

Proof. Let c p be the root of / mod p congruent to X/Y mod p. The lattice C 
contains (A', V), since (c p , !)}' = (c P Y,Y) = (A", Y) (mod p). 
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The shortest vector in C has length at. most 0( v /p), and for most, choices of 
p, / and c p , the short vector will be 8(^fp). If such an A' and Y do exist, (A", Y) 
has length < \/2 1.000 p l/k . 

Conversely, all vectors (A\V) 6 £ satisfy V'*/(A7V) = 0 (mod p), so any 
such short vector is a trapdoor for / and p. □ 

This gives an efficient algorithm for testing whether a trapdoor exists for a 
given / and p. One may find linear factors of / mod p efficiently by eliminating 
square factors (dividing by the greatest, common divisor of / and /' mod p), and 
then taking the gcd of (z p - x) and / mod p (see [8]). Then X and Y , if they 
exist, can be found using lattice reduction. 

The main problem with this is that every polynomial / needs to be considered 
separately, so a limited range of polynomials can be searched. On a Sparcstation 
1, one fourth-degree polynomial can he tested for a 51'2-bit, prime in about a 
minute. On a parallel machine many polynomials could be searched at once, and 
a, fairly large range of polynomials could be tested. With this test, a trapdoor 
with a good polynomial could he found, This forces an adversary to choose a 
polynomial from a set too large to be exhaustively searched, say an / of degree 
fourth with coefficients chosen randomly between -101) and 100. 

Note that in the special case Y = 1, where p = /(A'), the polynomial can be 
found much faster. In this case (p/a k ) x,K is close to A, where a k is the leading 
coefficient of /. All polynomials with a given a k could be tested at once, very 
efficiently, so such a trapdoor would be much easier to discover. 

Similar techniques can be used to construct a trapdoor prime. Suppose we 
wish to compute </ and p for the DSA such that for a given polynomial /(j') = 
x 3 + 6x- J + cx + d and sonic' A', V % p 1 '' 3 . p = )' A f(X/Y ). Begin by finding a 
160-bit prime </, and choosing any % 2 ,7U . bet g(x) - Y ( ff(x/Yo). Then we 
may find an a mod </ such thai ,/{a) ~ 1 (mod 7). by looking for linear factors 
of ij(x) — 1 (mod 7). If none exists, then another V' :l may be tried. 

For any A = a (mod </) and )' = Vj (mod </), we have Y 3 f{X/Y) = 1 
(mod q). Taking A = a + l x q and >' = Vj, + with /; and I, chosen so that 
Y 3 f(X/Y) =s 2 51 -. we expect to soon find a pair for which p = Y 3 f(X/Y) is 
prime. This p and q could be used as a trapdoor for the DSS. 

This is not an ideal trapdoor, since from Table 1, a degree four polynomial 
would work better. The problem with constructing a better trapdoor using the 
above method is that a is usually a 160-bit. number, which is bigger than p 1 / 4 , 
so A" would be too large. Tin.- revised OSS will allow primes p up to 1024 bits 
[19]. For primes with (>10 or more bits, the above method can be used to make 
a trapdoor with a degree four polynomial. For primes with 800 or more bits, a 
degree five polynomial can be used. 

Another way to generate a. trapdoor would lie to choose a polynomial /, and 
try random values of A and >' until \> - Y k f{X/Y) is prime and divisible by a 
160-bit prime q. To lind such a value, one could sieve by small primes or use the 
ECM factoring method to find an X.Y pair for which p— 1 is smooth except for 
one 160-bit prime factor. This has the drawback that (p— l)/q would be smooth, 
which while it is not. known to weaken the system, does seem undesirable. 
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5 Protocols for Choosing a Prime 

The ideal way to avoid worries about, a trapdoor would be to come up with a 
way of generating primes for which one can guarantee that no such polynomial 
exists. An alternative is to use a random prime, which is almost certain to be 
safe. Call a prime p unsafe, if an / exists with Y k f(X/Y) = 0 (mod p), where k 
is between 3 and 10, A' and Y are less than 1,000 p l ! k , and the absolute values 
of the coefficients of / are less than 500. Then the fraction of 512-bit primes 
which are unsafe is at most 

i 10 

Suppose two people wish lo agree on a safe key for the DSS. They can choose 
a random seed for the random number generator, using a protocol due to Blum 
[2]. From this they ran use the method of Appendix 2 of [21] to create a key 
which is as likely to be safe as any random key. 

On the other hand, a central authority might want to announce a key for 
general use, so that everyone is convinced there is no trapdoor. To do this, 
the authority must have a pseudo-random number generator and algorithm for 
constructing keys so that 

1. Any user can verify that a key was generated using the approved method. 

2. Keys produced by this method .should be no more likely than random keys 
to contain trapdoors. 

3. The choice of seed used for the random number generator should not allow 
the authority to create- a particular key. 

With a few modifications, the random number generator mentioned in Ap- 
pendix 3 of [21] can be made to satisfy the above criteria. That method uses 
DES with a 64-bit. seed, DCS key and 64-bit date/time-stamp. To satisfy the 
above conditions, the DES key used should he fixed as part of the algorithm, 
the seed should be made public with the DSS key, and the time-stamp format 
should be specified. 

It could be argued that the 64-bit seed gives too much freedom, putting the 
third condition at risk. This can be remedied by restricting the choice of seeds, 
or eliminating the seed entirely and just using the time-stamp. 

For an example of a ■•trustable"' key, consider: 

<\ - 1 14:860701 7^20547303462012999:^8277821 13538756127 

ami 

p = "156 1 9 4 7 6 d 3 9 7 S 0 2 U ' H) 2 7 8 7 8 7 7 9 19330 180873773390583792476383 
4406258 1 90286 1 0595 17171 5079270208 1 842023 1 8202 14082 1 69894 
373334078735314126297272778927524812627411 
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These numbers were generated using the binary expansions of tt and e. The 



this number of being any more likely than a random number to have a trapdoor, 
and tests of p by many polynomials have not found any. 

6 Conclusion 

In this paper, we have tried to quantify the threat of trapdoors for discrete 
logarithm-based cryptosystems, in particular DSS. While trapdoors do give a 
definite advantage over standard keys, with a few easy precautions in the choos- 
ing of p and q it is possible to prevent them, and they do not seem to pose a 
major problem for such systems. 

In [15], Maurer and Yacobi present a public key distribution system, based on 
computing discrete logarithms modulo a composite number n. The factorization 
of n is a trapdoor which allows a trusted ant liority to compute secret keys. Unlike 
the DSS, their system relies oh t lie trapdoor, and they ask if a similar trapdoor 
can be made for primes. The special number field sieve does provide a trapdoor 
which could be used io construct a similar system with a prime modulus, but 
such a system would Ue impractical 
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Response to Comments on the NIST Proposed 



Digital Signature Standard 

Miles E. Smid 
Dennis K. Bransiad 
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Abstract. NIST received comments from 109 separate government agencies, companies, and 
private individuals concerning the proposed Digital Signature Standard. Both positive and 
negative comments were received. However the number of negative comments was significantly 
larger than normally received for a proposed Federal Information Processing Standard (HPS). This 
paper summarizes the major comments, both positive and negative, and provides responses where 
appropriate. The paper highlights the anticipated significant modifications to the proposed 
standard and concludes by discussing the future milestones that need to be accomplished before 
the proposed DSS becomes a FTPS. 



1. Introduction 

1.1 History of the DSA 

In August, 1991 [FRDSS], the National Institute of Standards and Technology (NIST) proposed a Digital Signature 
Algorithm (DSA) for use in computing and verifying digital signatures in government applications. The DSA was 
proposed in a draft Digital Signature Standard (DSS) [DFIPSXX] as the initial step of a process leading to a Federal 
Information Processing Standard. 

The goal was to provide a standard for government organizations to use for applications in which a digital signature 
is required. Private and commercial organizations are encouraged to adopt and use the DSS as well. This paper 
discusses the primary issues that were raised during the public comment period on the DSS. 

The Digital Signature Algorithm is used for mathematically computing and verifying a digital signature. The 
algorithm explicitly defines the parameters (name, type, size but not value) and specifies the computations for 
signature generation and verification. A digital signature is simply a number that depends upon the contents of the 
message and the private key of the message signer. The signature is normally transmitted with the message. A 
verifier, who has possession of the message, the signature, and the public key of the signer, can determine that the 
signature was generated by the signer and was not modified, either accidentally or intentionally. In addition, the 
verifier can provide the message, the digital signature, and the signer's public key as evidence to a third party that 
the message was, in fact, signed by the claimed signer. Given the evidence, the third party can also verify the 
signature. This capability is called "nonrepudiation", Of course, one can sign data other than messages, for 
example, electronic contracts, computer programs, and any valuable electronic information. 

l.Z Factors Considered 

In selecting the Digital Signature Algorithm for the proposed DSS, the following factors were considered important: 
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the level of security provided, the applicability of patents, the ease of export from the U.S., the impact on national 
security and law enforcement, and the efficiency in a number of government and commercial applications. A 
number of techniques were reviewed and deemed appropriate for providing adequate protection in Federal systems. 
Among these, NIST placed primary emphasis on selecting the technique that best assures appropriate security for 
Federal information and does not require payment of royalties by U.S. private or commercial interests. All proposals 
were coordinated with the national security and law enforcement communities. 

A Digital Signature Algorithm should have several technical characteristics. First, it must compute a signature which 
depends on the contents of the message and the private key of the person that originated it. Second, the private key 
used for signature generation should not be computable knowing the public key used for signature verification. 
Third, the efficiency of generating keys, signing messages and verifying messages should have an acceptable impact 
on performance in various implementations and applications. Fourth, a digital signature algorithm should be useful 
in many different applications and provide a level of security commensurate with the value or sensitivity of the data 
being protected. 

Several digital signature algorithms have been proposed in the technical literature. Each exhibits the above 
characteristics to a greater or lesser degree. NIST proposed an algorithm which satisfies the desired technical 
characteristics in addition to the established non-technical criteria. This paper summarizes the comments received 
during the first public solicitation for comments on the proposed standard, provides responses to the comments, and 
discusses planned revisions to the proposed DSS. 

1.3 G AO Decision B-245714 

Government agencies have often raised questions concerning the legality of using a digital rather than a written 
signature. A "catch 22" condition existed. Agencies would not use digital signature technology because the 
regulations appeared to require written signatures, and the regulations were not changed or clarified because agencies 
were not using the new technology. In order to help clarify the issue, NIST requested a formal decision front the 
General Accounting Office (GAO) INLET], Based on its analysis of an agency's financial system and operating 
procedures, the GAO often grants relief against financial loss. If funds are lost as the result of a weakness in the 
system or the operational procedures, the loss will come out of general revenues rather than the funds of the agency. 

NIST asked the GAO whether NIST standards for electronic signatures could be used to record obligations in 
government Electronic Data Interchange (EDI) payments. The GAO decision [GA091] established the criteria for 
government use of electronic signatures for EDI technologies consistent with 31 U.S.C. Section 1501. Electronic 
signatures had to be unique and they had to provide a verifiable binding of the individual to the transaction. In 
particular, the GAO slated that "EDI systems using message authentication codes which follow NISTs Computer 
Data Authentication Standard (Federal Information Processing Standard (FTPS) 1 13) or digital signatures following 
NISTs Digital Signature Standard, as currently proposed, can produce a form of evidence that is acceptable under 
section 1501." 

2. Overview of Comments 

NIST received comments form 109 separate government agencies, companies, and private individuals concerning 
the proposed DSS. Both positive and negative comments were received. While government agencies tended to 
support the proposed standard, the number of negative comments was significantly larger than normally received 
for a proposed FTPS. The comments are public and copies are available for inspection at the Central Reference 
and Records Inspection Facility, room 6020, Herbert C. Hoover Building, 14th Street between Pennsylvania and 
Constitution Avenues. N.W., Washington, DC 20230. 

3. Sample of Positive Comments 

Many responders to the NIST solicitation for comments stated their belief that a digital signature capability will be 
necessary in electronic funds transfer, electronic data interchange, payroll, and administrative systems. Several 
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responders supported the government's goal of having a standard that was free of patent impediments and expressed 
their desire that there be a federal standard for digital signatures which would provide for interoperability and a 
common level of security. Many government agencies supported the proposed standard. A sample of some positive 
comments is provided below: 

1 . The DSA will be especially useful to the financial services industry 

2. The DSS is the key to robust and secure transfer of funds between individuals, 
financial institutions, governments and corporations 

3. There will be minimal cost impact if the proposed standard is implemented 

4. Generating keys for the DSA is a relatively efficient operation 

5. The DSA is the only signature algorithm thai has been publicly proposed by any 
government 

6. We recommend that the algorithm be adopted as a HPS 

7. The Department applauds NISTs work in developing a DSS that wiil help to meet the needs of Federal 

departments and agencies.... 

4. Response to Negative Comments 

Like the Data Encryption Standard (DES) proposed fifteen years earlier as a Federal Information Processing 
Standard, the DSS received many negative comments, but the comments generally fell into one of several categories. 
Some responders believed that since the selection process of the proposed DSA had not been public, the usual 
standards making process was not followed. Other people thought the solicitation for comments was the end of the 
standards process rather than just the beginning and therefore did nol believe sufficient time was being provided for 
evaluation of the proposal. Many noted that the proposal was an alternative to the Rivest, Shamir and Adleman 
(RSA) algorithm [RIVEST] that has achieved a high degree of public acceptance. Selecting an alternative to the 
RSA was felt to have a negative impact by those that had a financial interest and a positive impact by some that 
had alternative financial interests. Finally, several technical concerns were expressed regarding the security and 
efficiency of the proposed algorithm. These concerns and responses are summarized below, 

4.1 The DSA selection process was not public 

Response: 

The early discussions leading to the proposal of the DSA algorithm were not public. The Computer Security Act 
of 1987 states that NIST "shall draw upon computer system technical security guidelines developed by the National 
Security Agency [CSA87]. NISTfollowed its normal standards development procedures, the provisions of the 
act, and the memorandum of understanding established with the National Security Agency (NSA). Several 
alternatives were considered before the DSA was selected. The cooperation between NIST and NSA was publicly 
known. NIST advised the appropriate ANSI accredited standards committees, as well as others, of the joint effort. 

In the normal standards development process, NIST identifies the need for a standard, produces technical 
specifications of a standard using inputs from different sources and then solicits government and public comment 
on the proposal. After the comment period, the comments are analyzed, appropriate changes are made and a revised 
standard issued (or further comment is solicited if the revisions are substantial). This public process is being 
followed. NIST made the specification of the algorithm public and then solicited comments on the proposed 
algorithm. NIST personnel have given talks on the DSS to Accredited Standards Committee (ASC) X9, Working 
Group X9F1, Interop V2, the First International Symposium on Cryptographic Security, the Federal Computer 
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Security Program Managers' Forum, and the NIST Computer Security and Privacy Advisory Board. Working Group 
X9F1, which makes financial standards related to public key cryptography, is now developing a standard that is 
equivalent to the DSA [DANSIX9], 

4.2 Sufficient time for analysis has not been provided 

Several parties felt that the three month comment period did not provide sufficient time for analysis of the algorithm. 
In response to a formal request, NIST extended the comment period for another three months. Few new comments 
were provided after the initial three month period. 

Response: 

NIST considered the initial three month comment period to be only part of the total DSS evaluation process. The 
security of the DSA is believed to be equivalent to the difficulty of solving the discrete logarithm problem which 
has been studied for several years. The ElGamal technique, upon which the DSA is based, has been studied since 
1984 and remains basically sound. The DSA does have some new features. In particular, r is calculated by 
computing (g k mod p) mod q. However, the new features as well as the entire algorithm were evaluated by the NS A 
and underwent the same analysis used by NSA to evaluate classified cryptographic systems. In fact, the DSA may 
be used to sign unclassified data processed by "Warner Amendment" systems (10 U.S.C. 2315 and 44 U.S.C. 
3502(2)) as well as classified data in selected applications [FRDSSj. 

It is now almost a year since the algorithm was publicly proposed and no cryptographic shortcut attacks have been 
found. NIST will continue to evaluate the merits of any proposed attack and will formally review the DSS at five 
year intervals. However, to be sure that there is no additional, currently unknown information about the algorithm 
or its revision (see Section 5.2 below). NIST has stated there will be a second public comment period on a revised 
DSS proposal before it is published as a standard. 

4.3 The DSA may infringe on other patents 
Response: 

One of the selection criteria for the DSA was that it be free of patent impediments to the maximum extent possible. 
An agreement to grant non-exclusive, royalty free licenses had been made by the International Business Machines 
Corporation in 1975 prior to adopting the DES, which was covered by IBM patents, as a Federal Information 
Processing Standard. A similar status was desired for the DSS. Some alternative algorithms were considered less 
desirable because of known patent impediments. The DSS was designed by the government specifically to meet 
the selection criteria, including the patent criteria. However, two claims of infringement (by Public Key Partners 
and Professor Claus P. Schnorr) were received during the comment period. In addition other comments expressed 
a concern that the DSS infringed the patents held by these entities. 

A major criterion for the invention and selection of the DSS by the government was to avoid patented technology 
that could result in payment of royalties for government, commercial and private use. This was stated in 
Congressional testimony in June, 1991, shortly before the DSS was issued for comment. A patent application was 
filed for the DSA on behalf of the government with the intent of making the DSS available on a non-exclusive, 
royalty-free basis. The patent claims were recently allowed by the U.S. patent office. The patents that are claimed 
to be infringed were directly or indirectly referenced in the DSA patent application. 

Based on its initial analysis of existing patents, NIST believed the DSA did not infringe on any known patents. As 
a resultof the claims of infringement, NIST is attempting to clarify the patent issue (see Section 5.1). The judgment 
of infringement is a complex legal issue and outside the scope of this paper. 
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4.4 The DSA does not provide for secret key distribution 
Response: 

The DSA does not provide for secret key distribution because the DSA is not intended for secret key distribution. 
In many applications a digital signature capability for integrity and nonrepudiatiort is sufficient and secret key 
distribution is not necessary. NIST does recognize the need for secret key distribution in other applications (e.g., 
where encryption is used). However, NIST and NSA have not yet selected such a method. NIST decided that it 
would be better to provide a public key based signature system immediately than to wait for both a signature system 
and secret key distribution system at some later time. 

In addition, there are certain advantages to having separate algorithms for signature and key distribution. First, 
cryptographic algorithms that do not encipher data clearly come under the Department of Commerce export rules 
whereas export of encryption algorithms is controlled by the Department of Stale procedures which tend to be more 
restrictive [NBUL]. Secondly, certain countries readily permit the use of signature algorithms within their borders, 
but they restrict the use of encryption algorithms. 

4.5 The DSA Is incomplete because no hash algorithm is specified 
Response: 

On January 30, 1 992 [FRSHS], NIST proposed a Secure Hash Standard (SHS) [DFIPSYY] which specifies a Secure 
Hash Algorithm (SHA) that is required for use with the DSA and whenever a secure hash algorithm is needed for 
federal applications. Copies of the SHS may be obtained by writing to the Standards Processing Coordinator (ADP), 
National Institute of Standards and Technology, Technology Building, room B-64, Gaitheisburg, MD 20899. The 
SHA produces a 160-bit message digest on any data string up to 2 6< -l bits. The SHS comment period ended on 
April 30. Comments were received from twenty-four separate government agencies, companies, and private 
individuals. The vast majority of the comments were favorable, and no technical flaws in the algorithm were found. 
NIST now plans to proceed with the process of making the proposed SHS a FTPS. 

Table 1 shows sample SHA processing rates obtained for C code implementations of the SHA on three different 
computers. Other implementors may obtain differing rates based upon the degree to which the code has been 
optimized, the compiler used, and other factors. The rates appear adequate for many data security applications. 



Machine 


Rate (bytes/second) 


AT 


2,523 


486 (33 MHz) 


28,169 


SUN SPARC 


222,233 



Table 1: Sample SHA Processing Rales 



4.6 The DSA Is not compatible with IS 9796 

International Standard 9796 [IS9796] is a standard for digital signatures with message recovery. According to this 
standard the message must be half the block size of a reversible public key encryption algorithm. The message is 
then redundantly padded to fill the entire block size and then "encrypted" with the user's private key to form the 
signature. An n-bit message results in a 2n-bit signature. Any verifier of the signature can use the public key of 
the signer to recover the redundantly encoded message. Rather than having the signer send the message as well as 
the signature, IS 9796 permits the recovery of the message from the signature itself. 
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Response: 

IS 9796 specifies a digital signature scheme which provides message recovery from the signature. It is inefficient 
for signing moderate or long messages one half block at a time. The standard does allow for signing a message 
digest instead of a message, but then one would have to transmit the message along with the signature and the 
reversibility of the algorithm would provide no apparent advantage. 

Since the DSA is not reversible, it could not meet the requirements of IS 9796 for a reversible algorithm. However, 
producing a 2n-bit signature from an n-bit message (as with IS 9796) is inefficient and causes unnecessary data 
expansion. When the DSA is used with the SHA algorithm an n-bit message will result in a 320-bit signature, and 
only n+320 bits need be transmitted. Thus, messages longer than 320 bits, or shorter than the block size minus 320 
bits, will have less data transmission requirements if signed using the DSA. 

In addition, there have been proposals for an alternative international signature standard, called "Digital Signature 
with Appendix". This alternative standard would permit the use of nonreversible algorithms for digital signatures 
and would not require that a n-bit message produce a 2n-bit signature. NIST will propose that the DSA algorithm 
be one of the algorithms that may be used in conjunction with the proposed alternative standard. 

4.7 The modulus Is fixed at 512 bits 

Some parties responding to the request for comments believed that the DSA was insecure because the modulus was 
fixed at 512 bits. Others felt that although 512 bits provided adequate security for most of today's applications, it 
was not adequate for public key certificates and long term security. 

Response: 

The security of the DSA is based on the difficulty of solving the discrete log problem. Most security experts 
consider the discrete log problem to be at least as difficult as factoring (i.e., solving y = g* mod p for x is as 
difficult as solving n = a * b for a and b when p is the same size as n). Therefore, the 512-bit DSA is at least as 
secure as many products, whose security is based on factoring, that are currently on the market today. One 
responder estimated that today it would take over eight million dollars (2.1 million MIPS J -years @ S4 per MIPS- 
year) to break the DSA but recommends allowing a modulus size of at least 710 bits. 

Currently, smart card systems have limited computational capabilities which would be heavily utilized in 
implementing a 512-bit public key algorithm. Smart card implementations of larger modulus sizes are not yet 
practical. However, implementing a 512-bit algorithm in a smart card where the private key never needs to leave 
the card may offer much greater overall security than implementing a larger size modulus in a shared PC. 

In response to the comments that a larger modulus size is required for certificates and long term security, modulus 
sizes of up to 1024 bits will be allowed. The revised standard will allow modulus sizes of 512, 576, 640, 704, 768, 
832, 896, 960, and 1024 bits. This array of sizes should be sufficient for protecting sensitive unclassified data for 
the foreseeable future. 

4.8 The 160-bit size of q Is too small 
Response: 

Some parties claimed that the 160-bit size of q is too small but no analytical justification for this claim was 
provided. The 160-bit q provides a work factor of 2 s0 which is consistent with the 160-bit message digest provided 
by the SHA. (Note that the 160-bit SHA message digest is already 32 bits longer than most other accepted message 
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digests.) Assuming 32 x 10 u operations per MlPS-year arid a cost of S4 per MlPS-year, one would expect to spend 
at least [(2™operations)/(32 x 10 u operations/MIPS-year)] x (S4/MIPS-year) = S151, 000,000,000 to recover a single 
key, x. It has been estimated by Andrew Odlyzko that this is roughly the same effort that would be required to 
break a discrete log system with a 1024-bit modulus using the number field sieve. Therefore, the 160-bit q appears 
to be sufficient even when a 1024-bit p is used. 

4.9 Compromise of k would compromise the private key 
Response: 

Compromise of k would compromise the private key x. However it has not been shown that compromising k is 
any easier than compromising x itself. Both x and k are randomly or pscudorandomly generated; both x and k are 
kept in the most secure area of the cryptographic module; and neither x nor k need be known to any human being. 
If an adversary can gain physical access to k, then the adversary could also gain physical access to x. The DSA 
is designed so that neither x nor k can be determined from the signature. 

NIST will suggest techniques for generating the x, k, and other values in an appendix of the DSS. In addition, the 
authors highly recommend the use of smart cards to protect private keys and any other secret parameters used by 
public key algorithms. 

4.10 Weak values of p could be selected by a dishonest CA 

A claim was made that a dishonest Certification Authority (CA) could purposely select a value of p for its own users 
which would permit the CA to recover the private keys of the users. 

Response: 

The proposed DSS specifies a Digital Signature Algorithm. It does not discuss all the ways the algorithm may be 
used or misused. The qualifications section of the DSS Announcement states that "The responsible authority in each 
agency or department shall assure that an overall implementation provides an acceptable level of security." The 
proposed DSS specifically states that, "Systems for certifying credentials and distributing certificates are beyond the 
scope of this standard." Therefore, one would not expect an algorithm specification standard to cover the case of 
a dishonest certification authority. 

The DSS allows users to generate their own primes, p and q. The DSS also allows the user to use primes generated 
by a trusted party or a certification authority. If primes are known to be randomly generated, the user can even 
accept primes generated by a distrusted party. One can construct special primes that are considered weak. If they 
were used the private keys of the users might be recovered. (Note that many other algorithms have similar weak 
values.) However, the probability of generating a weak prime at random is infinitesimally small. (The probability 
of generating a weak p at random has been estimated to be less than 10'™.) Two parties pointed out that the use 
of a one-way function, such as the SHA, in the process that generates p and q could ensure that weak values occur 
only randomly. By making publicly known the input to the SHA, the resulting p, the resulting q, and the process, 
the user would be able to verify that weak primes were not purposely constructed. A technique which makes use 
of the SHA in the generation of DSA primes is proposed in Appendix A of this paper. 

The claim that a trapdoor was purposely placed in the DSA was the subject of a panel session at Eurocrypt '92. 
No evidence of an intent to put a trapdoor in the DSA was presented and by the end of the session the claim was 
substantially discredited. 

Warning! As with all systems using a certification authority, the certification authority must be trusted to correctly 
establish the binding between the user's identity and the user's public key. 
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4.11 The DSA is less efficient for verification 
Response: 

Some of the comments provided inaccurate estimates of the computation time required for the DSA. Obviously one 
would like a signature algorithm to be as efficient as possible while still providing adequate security. The real issue 
is whether the DSA verification speed is sufficient. On a 386 personal computer 3 , the DSA can validate a signature 
in less than one second and the same computation can be done in milliseconds in hardware. These times are 
adequate for most applications. 

In order to fully understand the computational differences between the DSA and RSA one must consider five 
different computations: global computations, key generation computations, pre -computations, signature computations 
and verification computations. 

Global computations may be performed once for a set of users and need not be recomputed for a long 
period of time. Therefore, these computations do not normally impose a severe penalty on the operational 
system. For the DSA, the computation of p, q, and g could be considered global computations. The RSA 
does not have a similar computation. 

Key generation computations are performed in generating the public and private keys. For DSA one must 
generate x and y as the private and public keys. For RSA, primes p and q must be generated and e and 
d computed. (Note that when using the Chinese remainder theorem, d mod (p-1) and d mod (q-1) are 
generated instead of d.) 

The pre-computations for the DSA are performed for each message to be signed. However, these 
computations may be performed before any message is selected to be signed. These pre-computations 
involve generating k" 1 and r as inputs to the signature generation computation. RSA has no similar 
computation. 

For DSA the signature generation computations involve generation of the message digest, H(m), and the 
s portion of the signature. For RSA signature generation, one must compute s = (HCm)) 11 mod n. 

When performing the signature verification computations the DSA computes a putative r from the received 
message m, the received r, and the received s. If the computed value of r equals the received value of r 
the signature is verified. Otherwise the signature is rejected. Using the RSA one computes s° mod n and 
compares it to the message digest of the received message. 

Table 2 indicates some sample computation times for the DSA and RSA algorithms performed either in a Hitachi 
H8-310 smart card processor or in a host personal computer. Efficient smart card implementations of public key 
cryptography are difficult to achieve because of the limited capabilities of current 8-bit smart card processors. On 
faster computers or special purpose smart card processors, the differences in computation times between the DSA 
and RSA algorithms become less significant to the human observer. 

The DSS offers an advantage with regard to its extremely efficient computation of the private and public keys. The 
private key is any randomly generated 160-bit value called x and the public key is y where y = g* mod p. Since 
both computations are efficient the private and public keys can be easily generated on a smart card. While the 
public key can be read from the smart card at any time, the private key never needs to leave the protection of the 
card. Observed DSA key generation computations are 40-80 times faster than RSA key generation computations. 



3 Products are mentioned in this paper for informational purposes only and do not constitute an 
endorsement. 
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In addition, the DSS has the capability of performing mosl of the signature computations before the actual message 
to be signed has been selected. This is done by pre-compuling k, k' 1 , and r. In fact several k, k" 1 , and r values may 
be precomputed in a fashion that is transparent to the user. Then, when the user selects the message or data to be 
signed, the signature will be computed in a fraction of a second. This feature is especially useful in today's smart 
card systems where the card will perform the necessary pre-computations while the user is selecting and forming 
the message to be signed. Therefore, the signature process appears very efficient to the user. 



Algorithm 


DSA 


RSA 


DSA Common p,q,g 
Estimated 


Global Computation 


Off Card (P) 


NA 


Off Card (P) 


Key Generation 


14 


Off Card (S) 


4 


Pre -computation 


14 


NA 


4 


Signature 


.03 


15 


.03 


Verification 


16 On Card 
1-5 Off Card (P) 


1.5 


10 On Card 
1-3 Off Card (P) 



Table 2: Smart Card DSA & RSA Computation Times (All times are given in seconds. Off card computations 
performed on a 386, 33 MHz, personal computer. (P) indicates public parameters off card and (S) indicates secret 
parameters off card. Both algorithms use a 512-bit modulus.) 



The signature verification computations for the DSA require more computations than signature generation and 10-15 
times more than for the RSA algorithm. However, verification involves only public keys and can therefore be 
implemented in personal computers or in some other medium where more computational capability exists. This is 
an important distinction in smart card systems where signature generation would be performed in the secure card 
having a modest computational capability while verification could be performed elsewhere. 

The DSA parameters p, q, and g can be selected by individual users or be common to a group of users. If 
individually selected, they must be passed along with the user's public key to anyone desiring to verify that user's 
signature. If common values are selected by a group of users, they need not be transmitted with each message or 
each user's public key. Efficiency is improved by reducing the number of parameters that have to be transmitted 
and by permitting the one-time computation of certain intermediate results. 

When common or preestablished public values are employed, a technique due to Brickell, Gordon, and McCurley 
[BRICKELL] can be used to reduce the DSA pre-computation and verify times. NIST estimates that the pre- 
computation time can be reduced to approximately 1/4 the un-oplimized time and the verify time to 1/2 the 
tin-optimized time in a smart card implementation. Computer programs which make use of this work are now being 
developed at NIST and Sandia Laboratories. 

In summary, the DSA validation computation appears to be adequate for many government and commercial 
applications. The DSA generates keys very efficiently and provides a pre-computation feature that can make the 
signature computation transparent to the user. Verification, although less efficient, is adequate for nearly all 
applications. These features may make the DSA highly desirable for many applications involving smart cards. 

4.12 The DSS is "buggy" 

One responder claimed that the DSS is "buggy" because if s = 0 then the computation of s 1 at signature verification 
would "blow up". In addition if s = 0, then the user's private key x could be recovered. 
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Response: 

The computation of s"' would not "blow up" on the verification calculation because the standard clearly states that 
the signature is rejected for any received s' outside of the range 0 < s' < q. As far as the security issue is concerned, 
it is true that if s = 0 then x could be recovered. However, there is no need to check for a condition which occurs 
with probability 2' 160 . The proposed DSS allows implememors to either check for s = 0 upon signature generation 
or to ignore the unlikely event depending on their own preferences. 

5. Future Efforts 

The following set of activities are presently planned by MIST in adopting a DSS as a FTPS: 

1. Complete analysis and summary of comments; 

2. Analyze and attempt to resolve patent issues; 

3. Develop and evaluate alternative signature certification authority infrastructures; 

4. Propose technical enhancements to DSA; 

5. Issue second solicitation of comments on revised DSA; 

6. Hold a symposium on the applications of the DSA; 

7. Investigate the economic interests involving the DSS; 

8. Coordinate and harmonize the revised DSS with ANSI and ISO standards activities; 

9. Conduct final coordination of DSS wiihin govemmem; 

10. Recommend Secretary of Commerce approval of DSS; 

11. Publish revised DSS after Secretary of Commerce approval. 

A brief discussion of some of the major activities are presented below. 

5.1 Resolution of Patent Issues 

NIST is presently attempting to resolve the patent issues in accordance with its desire to make the manufacture, sale 
and use of devices and systems implementing the DSA free of royalties for patents. The U.S. government already 
has rights to use patented techniques assigned to Public Key Partners because the government sponsored some of 
the research leading to the patents. However, private users presently do not enjoy such rights. Neither the U.S. 
government nor private users presently enjoy rights to the Schnorr patent. Alternative solutions to potential 
problems are being reviewed, 

5.2 Second Federal Register Solicitation of Comments 

As currently envisioned, the DSS will be revised to allow the use of a larger modulus, to add a new method for 
generating p and q, to add a method for pseudorandom generation of k values, and to correct or clarify minor 
editorial and technical issues. In order to assure an adequate opportunity for review of the revised proposed DSS, 
NIST is planning to publish the proposal for a second comment period. 
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5.3 Applications Symposium 

NIST plans to host a Symposium on the Applications of Digital Signature Technology. The purpose of the 
symposium is to provide a forum for discussion of common problems, goals, and issues pertaining to the application 
of the DSA. Further information will be provided as plans develop. 

5.4 International Infrastructure 

NIST is studying the legal and technical issues related to development and operation of an international digital 
signature infrastructure. The infrastructure would be a system of organizations, people and computers used for 
distributing certificates to individuals, government agencies and private companies. The study will examine the legal 
and regulatory requirements which must be addressed, propose a certification authority architecture, and attempt to 
clarify the roles that various government agencies wish to perform. Several U.S. government agencies are 
participating in and financing the study. 

NIST perceives a great need for such an infrastructure. Electronic filing of corporate and personal tax returns could 
be made more efficient and more secure if such a structure were available. Federal payments to contractors, vendors 
and social security recipients could be fully automated if the integrity and authenticity of electronic payments were 
assured. An international infrastructure is needed to provide security for worldwide business communications. NIST 
is presently working with the federal organizations responsible for such large scale applications. NIST intends to 
hold workshops with potential users and knowledgeable technical people in order to develop an infrastructure that 
will meet these anticipated needs. 

It is intended that the infrastructure will utilize existing concepts and systems. International Standard X.509 (a 
security part of the Directory standard) describes a tree structure for certifying digital signatures. A digital signature 
certificate distribution system has been designed in conjunction with the Privacy Enhanced Mail project. NIST plans 
to build on these efforts to produce a recommendation for consideration by federal organizations planning to use 
digital signatures. Results of the present study are anticipated in the middle of 1993. 

6. Conclusion 

Several milestones have been met and several still need to be accomplished. NIST will continue the work required 
for adoption of the proposed Digital Signature Standard as an approved Federal Information Processing Standard. 
NIST also believes that an international infrastructure is required in order for digital signatures to be widely used 
throughout the U.S. government and the world. 



[BRICKELL] E. Brickell, D. M. Gordon, K, S. McCurley, D. Wilson, Fast Exponentiation with Precomputation, 
Eurocrypt 92 Extended Abstracts, p 193-201. 



[DANS1X9] Working Draft American National Standard X9.30-199X, Public Key Cryptography Using 
Irreversible Algorithms for the Financial Services Industry: Part 1: The Digital Signature 
Algorithm (DSA), American Bankers Association, Washington, DC. 
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Appendix A: Generation of Primes p and q 

The Digital Signature Standard requires two primes, p and q, satisfying the following three conditions: 

a) 2 lM <q<2 ,6 ° 

b) 2 W < p < 2 L for a specified L, where L = 512 + 64j for some 0 < j < 8 

c) q divides p-1. 

This prime generation scheme starts by using the SHA and a user supplied SEED to construct a prime, q, in the 
range 2 IS < q < 2 140 . Once this is accomplished, the same SEED value is used to construct an X in the range 2 U1 
< X < 2 L . The prime, p, is then formed by rounding X to a number congruent to 1 mod 2q as described below. 

An integer x in the range 0 < x < 2* may be converted to a g-long sequence of bits by using its binary expansion 
as shown below: 



Note that the first bit of a sequence corresponds to the most significant bit of the corresponding integer and the last 
bit to the least significant bit. 



[RIVEST] 



R. Rivest, A. Shamir, and L. Adleman. A Method for Obtaining Digital Signatures and Public-Key 
Cryptosystems, Communications of the ACM, No. 2, p 120-126, 1978. 



x = x,«2«-' + x 2 »2«- J +... + x„«2+ x, -> { x„....x t ]. 
Conversely, a g-long sequence of bits ( x,,...,x t ) is converted to an integer by the rule 




+... + x r ,*2+ x ( . 
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Let L - 1 = n*160 + b, where both b and n are integers and 0 < b < 160. 

Step 1. Choose an arbitrary sequence of at least 160 bits and call it SEED. Let g be the length of SEED 
in bits. 

Step 2. Compute 

U = SHA[SEED] XOR SHA[(SEED+1) mod 2« ]. 

Step 3. Form q from U by setting the most significant bit (the 2 l " bit) and the least significant bit to 1. 
In terms of boolean operations, q = U OR 2 1S OR 1. Note that 2'" < q <2 160 . 

Step 4. Use a robust primality testing algorithm lo test whether q is prime 1 . 

Step 5. If q is not prime, go to step 1 . 

Step 6. Let counter = 0 and offset = 2. 

Step 7. For k = 0,...,n let 

V t = SHARSEED + offset + k) mod 2' ]. 

Step 8. Let W be the integer 

W = V„ + V,*2 ,M + + \'^ l *v°-»-> 8 > + (V„ mod 2") *2"' ,6 ° 

and let X = W + 2 W . Note that 0 < W < 2 Wi and hence 2"<X< 2 L . 

Step 9. Let c = X mod 2q and set p = X - (c-1). Note that p is congruent to 1 mod 2q. 

Step 10. If p < 2 M , then go to step 13. 

Step 11. Perform a robust primality test on p. 

Step 12. If p passes the test performed in step 11, go to step 15. 

Step 13. Let counter = counter+1 and offset = offset + n + 1. 

Step 14. If counter > 2 U = 4096 go !o step 1, otherwise (i.e., if counter < 4096) go to step 7. 

Step 15. Save the value of SEED and the value of counter for use in certifying the proper generation of p 
and q. 



1 A robust primality test is one where the probability of a non-prime number passing the test is at most 

2*. 
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Abstract 

Previously there have been essentially only two models for computers that people 
can use to handle ordinary consumer transactions: (1) the tamper-proof module, 
such as a smart card, that the person cannot modify or probe: and (2) the personal 
workstation whose inner working is totally under control of the individual. The 
first part of this article argues that a particular combination of these two kinds of 
mechanism can overcome the limitations of each alone, providing both security and 
correctness for organizations as well as privacy and even anonymity for individuals. 

Then it is shown how this combined device, called a wallet, ran carry a database 
containing personal information. The construction presented ensures that no single 
part of the device (i.e. neither the tamper-proof part nor the workstation ) can learn 
the contents of the database — this information can only be recovered by the two 
parts together. 



1 Introduction 

In this paper we shall be concerned with a general system consisting of a number of 
individuals and organizations. Each individual has a small database with (personal) 
information (for example credentials), and the purpose of a transaction is to either update 
this database (obtain a new credential) or read some information in it (show a credential). 
For such a system it is important that the data in the database are correct: 

• The organizations want to be sure that the contents of each database corresponds 
to what they have written in it. 

• The individuals want to be sure that the organizations only store correct information 
in the database, and that they can only read and update those parts of the database 
that they are entitled to. 

"Research partly done while visiting CWI 
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Another basic requirement is that it should be possible for the individuals to participate 
anonymously in certain transactions. If. for example, the database contains medical 
information, which is needed in an investigation of a particular disease, the owner might 
require anonymity in order to participate in this investigation. There are, however, many 
other kinds of transactions, such as financial transactions, in which the issue of privacy is 
essential as well. 

Section 2 argues that the electronic wallet is well suited for this scenario. An electronic 
wallet consists of two parts: 

• A small, hand-held computer controlled by the user — denoted by C. for ''computer' ; 
and 

• A tamper-proof module issued by the organizations — denoted by T, for "tamper- 
proof". 

These two parts are arranged in such a way that T can only talk with C and not the 
outside world. This might be achieved by embedding T inside C. All communication 
with organizations is via C . It is essential that there is no "alternative way'' that T can 
send messages to or receive messages from the outside world. 

In the second part of the paper practical protocols are presented. First a new blind 
signature technique is presented in Section 3. Then Section 4 shows how. using the blind 
signatures, T can get a certified public key, which it can use to sign messages and thereby 
authenticate the actions taken by C . Then Section 5 presents the database protocols. In 
particular, it is shown how T can validate the information sent from the wallet without 
even knowing the contents of the database. 

2 Possible Settings 

This section discusses the advantages and disadvantages of different devices for use by 
individuals in a system including users and organizations, as described above. We shall 
primarily be concerned with how well the various alternatives support the requirements 
of correctness and privacy. 

2.1 Correctness and Privacy 

Correctness basically means that the data stored in a person's database can only be read 
or updated by the organizations/individuals that have permission to do so (according to 
some initially agreed rules). Note that these rules could say that a person is not allowed 
to change (parts of) his own database, and they could even (in extreme situations) specify 
that the user may not read parts of the database. 

The terms positive credential and negative credential will be used to denote information 
in the database, which is to the advantage and disadvantage of the person, respectively. 
A bad criminal record is an example of a negative credential. The user may want to delete 
negative credential in the database, but this should, of course, be infeasibie. 
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By one-show credential we mean a credential that the individual is allowed to show 
only once. Electronic money, which may be spent only once, is a typical example of a 
one-show credential. 

While correctness is the most important requirement for organizations, privacy might 
t>e the important issue for individuals (at least in some situations), and it is essential for 
general acceptance of the system. We distinguish three levels of privacy: 

• Pure trust: 

Information about the individual may be revealed during a transaction — the indi- 
vidual cannot do anything to enhance his privacy, but must trust the organization 
to maintain it. 

• Computational privacy: 

If the individual follows the prescribed protocols, the organization cannot, learn 
anything about him unless it can make a computation assumed to be infeasible. 

• Unconditional privacy: 

If the individual follows the prescribed protocols, even an all powerful organization 
cannot learn anything extra about him. 

2.2 Possible Approaches 

We now analyze how two very different devices meet the demands of correctness and 
privacy outlined above. We first consider a device trusted completely by the individuals 
and then a tamper-proof device issued by the organizations (or an issuing center trusted 
by the organizations). This analysis then leads to the definition of electronic wallets. 

Computer alone 

First consider the situation where the user just has a computer, which he controls com- 
pletely. In particular, he can delete or change any part of the memory, and he determines 
all messages which the device sends to the outside world. 

Using the techniques of [ChaS4] and [CFN90: it is possible to obtain unconditional 
privacy in this scenario in an efficient way. However, this setting makes it very difficult 
for the organizations to prevent users from deleting negative credentials or using one-show 
credentials more than once. 

For example, in the case of an off-line electronic payments system, it is only known 
how to catch cheaters, who spend copies of the same electronic coin more than once, "after 
the fact". This method furthermore requires a large central database in which all valid 
coins are collected and compared (see [CFN90]). but this only has to be done periodically. 

In short, this setting can give unconditional privacy, whereas no really efficient method 
for correctness is known. 

Tamper-proof only 

In this setting each individual has a tamper-proof module (packaged as a smart-card, for 
instance) issued by the organizations. Hence the organizations trust the correctness of 
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the messages sent by the card, whereas the user does not even know which messages are 
being sent. 

This approach gives correctness quite easily, because the tamper-proof part has to 
be broken in order to compromise the system. Furthermore, if cryptographic techniques 
are added it is sometimes possible to make systems in which cheating requires breaking 
the tamper resistant part and the cryptographic methods. Off-line electronic cash is an 
example of such a system. 

If a tamper-proof unit is used to store negative credentials, the owner can delete these 
by destroying or throwing away the card. However, in this way he will also delete the 
positive credentials and, furthermore, the organizations will detect it the next time they 
need the card. In order to recover from such intentional as well as accidental losses of 
credentials, the system can have a back up facility for recovering such lost credentials. 
Hence, this approach can provide a very high degree of correctness. 

The disadvantage of using the tamper-proof unit alone is that it only provides a low 
level of privacy, as the user has no control over the messages sent from the card. Therefore 
the card can (in principle) send any message that it likes during a transaction (e.g. the 
identity of the user). Hence, it can only give pure trust. 

Electronic Wallets 

The above analysis of two extreme settings shows that neither a user controlled computer 
nor a tamper-proof device alone can give sufficiently efficient and secure solutions. Elec- 
tronic wallets can be thought of as a way to obtain the benefits of both approaches by a 
suitable combination. 

Since no device that allows a tamper-proof device to communicate directly with the 
organizations can give a higher level of privacy than pure trust, the device must be 
constructed in such a way that the tamper-proof device cannot send messages to the 
organizations. 

Thus the device should consist of a user controlled computer, C. with a tamper-proof 
unit, T, (sometimes called an observer), which on behalf of the organizations ensures that 
C cannot deviate from the prescribed protocols or change any information in its database. 
The electronic wallet is the simplest such device as it only has a single such observer (T). 
It might be useful (for example in order to make fa.ult recovery easier) to have more than 
one observer, but such an approach does not seem to add significantly more power to the 
wallet. 

Note, that C can freely communicate with the outside world without the knowledge 
of T, but the honest organizations will only accept messages which are approved by T. 

The rest of this paper presents protocols, which show how T can control the actions of 
C. The fact that T may not communicate directly with organizations means that these 
protocols must be secure against 

• Inflow: 

No matter how T and the organization deviate from the prescribed protocol, if C fol- 
lows the protocol, the organization cannot send anv extra (subliminal) information 
to T. 
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• Outflow: 

No matter how T and the organization deviate from the prescribed protocol, if 
C follows the protocol, T cannot send any extra (subliminal) information to the 
organization. 

This means that even if the organization places a malicious observer in the wallet, there 
is no way that it can send back any information about the owner. 

If all protocols are secure against outflow, then the security against inflow is not that 
significant, because T cannot tell other organizations what it learns. However, if it is 
important that T does not reveal any secrets in case it is returned to the organizations, 
the protocols must be secure against inflow as well. 

3 The Signature Scheme 

This section presents the signature scheme which will be used in this paper. The notation 
is introduced, the basic signature scheme is described, and it is shown how it can be used 
in wallets. Then it is shown how to make blind signatures. 

3.1 Notation 

Let q be a prime. The protocols to be presented work for any group. G 7 of order q. As 
an example of such a group we consider another prime, p, such that q divides p — 1, and 
define G q as the unique subgroup of ^* of order q. The element g G G q will always be a 
generator of G q . It will be assumed that all parties know p, q and g. 

The discrete logarithm of h G G q with respect to g is denoted by log g h, and the 
number of bits of an integer, x. will be denoted \x\. 

3.2 The Basic Scheme 

This subsection presents the signature scheme which will be used in the following proto- 
cols. 

The public key of the scheme is 

{p-q-9, h), 

where h g G q \ {1} and the corresponding secret key is x = \og g h. 

Let m £ G, be a message. The signature on m consists of z = m T plus a proof that 

log 3 h = log m z. 

Given m and z, consider the following protocol: 

1. The prover chooses 5 6 Z q at random and computes (a. b) — (g s ,m s ). This pair is 
sent to the verifier. 



2. The verifier chooses a random challenge c £ 2Z q and sends it to the prover. 
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3. The prover sends back r = s + ex. 

4. The verifier accepts the proof if 

g r — ah c and rn — bz c . 

If the prover can send correct responses r x and r 2 to two different challenges, C\ and Ci 
then 

g r '- r2 = /i c,_C2 and m 1 " 1 -' 2 = : C1 ^ S , 

and hence 

1 J, 1 Cj - c 2 
log h = log m a = 

r l — r 2 

since Ci ^ c 2 mod </ implies that r x ^ r 2 mod q. Now let H be a one-way hash function 
(as in the Fiat-Shamir scheme, see [FS87]). Given this function and the above protocol 
the signature on in is 

ff{m) = (-, a, b, r). 

It is correct if c = H{m, z, a. b) and 

g r = ah c and ?n r = bz c . 

Hence, a signature on a jgj bits message is [q\ — 3!p| bits long. 

Now consider attempts to forge signatures given only the public key. If H has the 
property that it is as difficult to convince a verifier, who chooses c := Him, z, a,b), as a 
verifier who chooses the challenge at random \ H is like a random oracle), it is not feasible 
to make signatures without knowing x. 

Furthermore, it does not seem to help a forger to execute the proof that log s h — log,,, z 
with the signer for the following reason. Consider the modification of the proof system 
in which the challenge, c, is chosen from a subset A C 2Z q instead of 2Z q . For any such 
subset an execution of this modified scheme can be simulated perfectly in expected time 
0(\A\). In particular this simulation is feasible if \A\ is polynomial in |<jj. It is an open 
question to prove that executions of the protocol are secure, when A equals 2Z q . but we 
conjecture that no matter which c £ 7Z q is chosen as challenge, the signer reveals no other 
information than the fact that log p h equals log m z. 

Finally remains the possibility that a forger can construct a false signature by com- 
bining various given signatures (m..^,). where the forger has chosen in, adaptively (see 
[GMR88]). If 2, = mf then 

Z\Z2 — [m- l m2) x - 

Hence there is a multiplicative relation which might be useful for a forger. However, 
the use of H should prevent the forger from combining different signatures into a new 
si gnature. 

3.3 Signatures by T 

This section shows how the above signature scheme can be used by the tamper-proof 
device T in a wallet. The problem, that we have to deal with, is that T cannot be allowed 
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to choose a and b alone, as it can encode some information in these two numbers. We 
therefore generate these two numbers using a coin-flipping protocol. If T has a public key 
(p,q,g, hj) and a corresponding secret key xj = log p hj it can sign a message m 6 G q as 
follows: 

1. C chooses sq 6 Z q and t Q £ 2Z q at random and sends a := g s ° to T (a commit- 
ment to So). 

2. T chooses Sj € at random and sends aj := <? 31 and ij := m Sl to C. 

3. C sends (s 0 ,t 0 ) to T and computes a := a^gr^ 0 and & := & 1 m. s, >. 

4. T verifies that a equals g sa and computes (a. b) := {a\g'° , 61m 150 ). 

5. T computes c := H{m, m ZT ,a. b) and r := s 0 -+- .«! -f- cxj mod 5. 

The signature on m is (m IT , a. 6, r). 

It is not hard to see that if C follows the protocol then a and b are uniformly distributed 
m G q . Furthermore. C can only open a as some s' 0 ^ s 0 if it can find X7-. Hence, if T 
follows the protocol and C does not know xj. then a and b are random elements of G q . 

Proposition 3.1 

The above protocol for making signatures has the following two properties: 

1. If C follows the protocol, then the signature is randomly distributed among the 
signatures on m — even if a cheating T has unlimited computing power. 

2. If T follows the protocol, then a polynomially bounded cheating C learns no more 
than a random signature on m. 

Proof 

Both claims follow from the fact that the coin-flipping protocol in Step 1- 4 above has 
the following two properties: 

1. (a. b) is uniformly distributed among the possible pairs, if C follows the protocol — 
even if a cheating T has unlimited computing power (because a contains no Shannon 
information about sq). 

2. A polynomially bounded C can only open a in two different ways if it knows log 3 /if- 



3.4 Blind Signatures 

To get a blind signature on the message m in the above scheme one chooses a random 
t 6 7L q and asks the signer to sign m 0 = m'. Let z 0 = m 0 x . Then the signer proves that 
log s h — log mo z 0 in such a way that the messages are blinded: 

1. The signer chooses 5 £ 7L q at random and computes (a 0 , b 0 ) = (g* . m 0 s ). This pair 
is sent to the verifier. 
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2. The verifier chooses u 6 iZ* and u g 2, at random and computes 

a = (a a <f) u and b = (b l 0 /t m v r. 

(If both parties follow the protocol a = {g s+ ' J ) u and b = (m 3+ ")" J .) Then the verifier 
computes z = z l J\ the challenge c = H(m.z.a.b) and the blinded challenge Co 
cju mod (7. The verifier sends c 0 to the signer. 



3. The signer sends back r 0 — s + CqX. 

4. The verifier accepts if 

g r °=avh r -° and m 0 ' a = b 0 z$ . 
The verifier computes r = (r 0 -r i>') u m °d 4 an< i 

<j = a, 6. r). 

Proposition 3.2 

<7 is a correct signature on m. if the verifier accepts in the above protocol. 
Proof 

Let c = #(m. c, a. 6). We have to prove that 

g r = ah° and r« r = /)2 C . 

The first equality follows from 

3 r = (g ro 9 v ) u = {a 0 h c °g v ) u = (a 0 g v ) u h a]U = ah c 

and the second from 



= iml /t ) ur "m vu 

= (mWm™ 

= (6o4°) u/t 'n ru 

= bz c . 



Proposition 3.3 

The signer gets no information about m and a if the receiver follows the protocol. 
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Proof 

We will show that for all m, z, a, b and r such that 

g T = ah' 
m = bz c 
c — H(m.z,a,b) 

and for all m 0 , zq, a 0 , 60, Co and r 0 such that 

g' a -= a 0 h CB 
m o - °0^0 

there is exactly one set of values of t, u and u such that the signer sees (m 0 , z 0 , o 0 . b 0 , c 0 , r 0 ), 
when making the signature u on m. In other words, that there is exactly one set of values 
of £, u and v such that 



m = 




a — 




b = 






Co" 




v r 0 -T l-') u 



First, m and mo determine f as 

m 0 = m' f = log m m 0 . 

Secondly, u and v are determined by c. c 3 . r and r 0 as 

C . Cq 

fi = — and v = — r — r 0 . 
Cq c 

Thus we just need to show that these values of t, u and v satisfy 

a = (aosT and b = (b 1 0 /t m v ) u . 

In doing this it can be assumed that z 0 = and ; = m x , because the signer actually 
proves that z 0 equals when making a blind signature. Hence m 0 = rn l implies that 

The first equality is proven as follows 

a = g r h- c = g^-^h- uc " = (g ro g v h-">) u = (a 0 g v ) u . 
The second equality follows by similar rewritings: 

6 = m r z~ c 

= (m^m^z- 00 ) 11 
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This completes the proof. ■ 

Hence, this signature scheme allows the receiver to obtain blind signatures. In particular 
it is possible for the receiver to get a signature on any message that he chooses. In order 
to avoid this problem in the application to wallets, the organization only signs a blinded 
message if the challenge is signed by T . The resulting scheme is presented in the next 
subsection. 

3.5 Blind Signatures in Wallets 

We assume that a center Z is the signer. The public key of Z is hz and the secret key is 
X Z = log,, hz- 

1. C chooses the blinding factor t t 2L" q at random and sends mo := rn x to Z. 

2. Z and C choose a 0 and 6 0 using a coin-flipping (as in Section 3.3) protocol, such 
that only Z knows s = log ff ao = l°gm 0 ^o- 

3. Z computes z$ := mj z and sends it to C. 

4. C computes z := and chooses u and v at random. Then it sends (ao, &o» z, «, v,t) 
to T. 

5. Both T and C can then compute a := ia 0 g 1 ' )\ b := (^'m 1 ')", c := H{m, z, a, b) and 
Co := c/u. T signs Co and sends it to C. 

6. C verifies the signature before sending the challenge and the signature to Z. 

7. From now on the protocol for constructing and verifying blind signatures is followed. 
Hence Z computes the response. r 0 . and sends it to C ■ C verifies this response before 
forwarding it to T. Finally T unblinds r Q and verifies the signature. 

Theorem 3.4 

If C follows the protocol then 

1. Z gets no information about the signature on m. 

2. T sends no information to Z except a random signature on cq. 

3. Z sends no information to T except zq. 
Proof 

Assume that C follows the protocol. 

1. Z sees messages with the same distribution as in the original protocol for making 
blind signatures — except that Z cannot choose (<z 0 , bo) freely anymore. But this 
pair is chosen at random. Hence this property follows from Proposition 3.3. 
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2. The only information, which originates from T is the signature on c 0 . However, 
Proposition 3.1 implies that this signature is randomly chosen among the possible 
signatures. 

3. T sees the following messages from Z: 

(a 0 , bo), z l J t and r 0 , 

and T receives u, v and t from C. Here (a 0 , b 0 ) is uniformly distributed (by the 
same argument as in the proof of Proposition 3.1), and r 0 is uniquely determined. 
Hence, Z can only send information to T via -. 

■ 

Note that if Z does not compute z 0 as m x 0 z then C will discover it. Thus, it is impossible 
for Z to send information to T without being detected. However, as we shall see in the 
next section even this possibility of inflow is eliminated in our application of the protocol. 

We now look at the security of the protocol and assume that T and Z both follow 
the protocol. It will be argued that if the basic signature scheme is secure, and if 7"'s 
signatures cannot be faked, then no matter what a polynomia.lly bounded C does, it learns 
no more than a random signature on m. 

As C cannot forge T's signatures, it. can be assumed that c 0 is computed as Cq := 
H(m,z,a,b), where C can choose 5, a and 6, but not m. By the assumption about H 
this means that C cannot control the value of c 0 (C cannot force Cq to be any particular 
value, except by trying different values for z, a and b and hoping they will give a "good" 
value of Co). Thus C does not seem be better off in this situation than when it just gets 
a "normal'' signature from the signer. 

4 Obtaining a Pseudonym 

This section shows how the wallet can get a public key. which is signed by a key authen- 
tication center. The signature on the public key will be called a validator. This protocol 
has the property that neither the center nor any other unlimited powerful organization 
can link the identity of the user to the public key (or its validator). 

Combining this result with Section 3.3 gives a method for T to sign messages without 
revealing any information at all about the owner of the wallet. This provides a method for 
T to validate the messages, which C sends to the outside world, without revealing anything 
about the identity of the user; these messages are only accepted by the organizations if 
they are signed properly (by T). 

We now show how T can generate a secret key x 6 Z~ and obtain a certificate on 
the corresponding public key h = g x mod p. In order to get started, it is assumed that 
each T is born with a secret key, xp, and a corresponding public key, A r , to the signature 
scheme described in Section 3.3. These signatures can be traced to T (and hence to the 
individual), and they are therefore only used in an initial step where T gets a validated 
key from a key authentication center (Z). The center issues validators using the blind 
signature scheme from the previous section with secret key x z a.nd public key h z . 
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The basic idea of the protocol for issuing validators is that C and T first execute 
a coin-flipping protocol in order to choose a secret key, x, which only T learns. The 
corresponding public key is denoted by h. Then C chooses a blinding factor, t £ 
and C signs the blinded public key (h 1 = h v ). Note, that in the process of making the 
blind signature, T has to sign a challenge computed as H(h,h xz ,a,b). This signature 
guarantees to Z that it validates a public key which is accepted by T. There is no need 
that T signs hi before Z starts making the blind signature, because before Z computes 
the response, it only produces random messages, which a cheating C could have produced 
by itself. In more detail the protocol goes like this: 

1. C chooses !/ 0 € 2Z" q at random and sends a commitment to y 0 to T. 

2. T chooses yi € TL'^ at random and sends ho := g yi to C . 

3. C opens the commitment and sends j/o to T. 

4. T and C compute h := , and T computes the secret key x :— y 0 yi mod q. 

5. T computes z := h~ z and sends it to C- 

6. C chooses / E at random and sends h z := h l to Z. 

7. Z makes a blind signature on h by signing h x as follows: 

(a) Z computes z 0 := h\ z . Then Z and C choose {a 0 ,b 0 ) ■= {g s ° ■ K") at random 
such that only Z knows s 0 , whereas both know a 0 and h 0 . Z sends r 0 to C. 

(b) C first verifies that z 0 = and then it chooses u £ 2Z" q and u € at random 
and computes 

a := (a 0 g v )" and i := (b 0 /t h v )'' i . 
C then sends u, i\ t and (a 0 . 6o) to T. 

(c) r computes the pair (a.b) just as C did, the challenge c := H(h,z,a.b), and 
Co := c/u mod g. Then it signs Cq using (with help from C) and sends the 
signature to C. 

(d) C computes c := H(h,z,a.b), c 0 := c/u, and verifies the signature. C then 
forwards Cq and the signature to Z. 

(e) Z verifies the signature on cq and computes r 0 := ,s 0 4- c 0 .s 2 mod <?• 

(f ) C verifies that 

g r ° = ao A| and = fc 0 r* 

and computes r = (r 0 -h u)u mod Then C forwards r 0 to T. 

(g) r computes r := (r 0 + u)u mod ? and verifies that: 

g r = aA^ an d b T — bz c . 



Theorem 4.1 

This protocol satisfies: 
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1. If T, C and Z follow the protocol, then T gets Z's signature on h. 

2. If C follows the protocol then Z gets no information about h or a. This is true even 
if T and Z have unlimited computing power. 

3. If C follows the protocol then Z can construct all messages with the same distribu- 
tion in expected polynomial time except the signature on Co. 

4. If C follows the protocol, then T can simulate all messages that it receives — except 
ro- 

5. If the blind signature scheme is secure then a polynomially bounded C cannot get 
a validated public key for which he knows the corresponding secret key. 

Proof 

The first three properties are straightforward to prove, and the fourth follows from The- 
orem 3.4 and the fact that T can compute z by itself. As for the last property, note that 
the security of the blind signature scheme means that C can only get a signature on h, 
but C cannot find the secret key corresponding to h (i.e. log 5 h) unless it can compute 
discrete logarithms in G q . ■ 
As C can make sure that the signature on c 0 is random among all possible signatures, 
this theorem shows that the protocol for issuing a validated public key has no outflow. 
Furthermore, as r 0 is uniquely determined from the other messages the protocol protects 
against inflow. 

5 An Application to Databases 

This section first describes how a very simple database offering unconditional privacy as 
well as correctness can be constructed, and then it is shown how a database in which the 
information is kept secret from both T and C can be constructed. By similar techniques, 
it is also possible to construct databases in which 

1. The data is known by T, but kept secret from C: and 

2. The data is known by C . but kept secret from T. 

Whenever T signs a message (anonymously) with respect to a public key. which is val- 
idated by the key authentication center, the signature will be referred to as a certified 
signature. 

5.1 A Simple Database 

The wallet can be used to store the personal database described in the introduction as 
follows: 

• All information in the database is stored by T and C. 
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• Whenever an organization updates a field in the database, it sends a signed message 
to the wallet. C verifies the signature before it updates the database and forwards 
the new information plus the signature to T. Finally T verifies the signature and 
updates the database. 

t When an organization wants to read a field in the database (or a function-value of 
several fields), a certified signature on the value is sent to the organization. 

5.2 Database with Hidden Information 

The implementation presented above has the property that both T and C know all infor- 
mation in the database. This could be a little dangerous for the user, because T could 
leak all information, in case it is captured by another person, who is able to break the 
tamper-resistance. On the other hand, there might be certain very sensitive data in the 
database, which the user should not know either (or does not want to be stored in his 
computer). 

In the following it is therefore shown how the above database can be modified such 
that neither T nor C knows the data, but T is still able to control that C does not 
change anything in the database. We shall, however, only give protocols which allow 
the organization to read or write a single bit in the database. The following scheme for 
probabilistic encryption is an important ingredient in these protocols. 

Probabilistic Encryption 

Let n = pq, where p and q are primes both equivalent to 3 modulo 4. In order to encrypt 
a bit b. the committer chooses r g %~ at random and computes 

BC{n,b,r) :- (-l)V mod n. 

A person knowing p and q can decipher a given ciphertext by determining whether it is a 
quadratic residue or not. However, for a person not knowing p and q this is presumably 
infeasible. 

Let ni and n 2 be two different moduli as above, and let 3 X = { — \) b r\ mod n x and 
$2 = ( — l)" r 2 mod m be probabilistic encryptions of the same bit b E {0,1}. 
Theorem 5.1 

There exists a four-round protocol with security parameter k in which a person, P. know- 
ing r l and r 2 can prove to another person. V, that ^ and 3 2 are in fact encryptions of 
the same bit. More precisely this protocol satisfies: 

1. If P and V follow the protocol, then V will accept, if a — b. 

2. If V follows the protocol and a ^ b, then V will reject the proof with probability at 
least 2~ k no matter what an unlimited powerful prover does. 

3. It is a proof of knowledge of r l and r 2 . 

4. It is (computational) witness hiding (see [FS90]). 
Proof 

The protocol uses the cut-and-choose technique. The details are omitted here. ■ 
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The Protocols 

It is assumed that each organization. W . has a modulus, riw ■ as above, and that W can 
make digital signatures. Prior to the execution of the read and write protocols to be 
described, the following start-up protocol is executed: 

1. W constructs a request of the form (raw, op, name, time), where op £ {read. write} . 
name identifies the bit which W wants to read or write, and time is a time-stamp. 
This request is signed and sent to the wallet together with certificates, which show 
that nw is a valid modulus and that the public key of W (for the signature scheme) 
is valid. 

2. C verifies the request and certificates, and if they are legal, C forwards them to 
T. In particular, C verifies that time is constructed correctly so that W has not 
encoded any information in it. 

3. T verifies the request and the certificates. 

Whenever T and C sign a message in the certified signature scheme op. name, time and 
riw are included in the message. This prevents obvious frauds by C in which signatures 
from previous executions of the same or different protocols are reused. 

Furthermore, each write protocol must be immediately followed by a protocol in which 
T sends a signed message to W (through C) in which it confirms having received the 
required messages. 

For each bit 6 in the database, T has given C a commitment 3t = BC(no. bj. rr) to 
a bit b T , and C has given T a commitment 3 C — BC{n Q ,b c ,rc) to a bit b c such that 
b = bx ® be- The modulus n 0 is the modulus of the organization which wrote b. An 
organization, W, with public modulus nw can read b as follows 

1. T chooses sj 6 %~, w at random and sends a? := ( — \) 0r s r mod nw to C . 
T proves to C that a? and 3j are encryptions of the same bit. 

2. C chooses sc £ ^ at random and sends ac := { — l) tc SQ mod nw to T. 
C proves to T that a c and 3c encrypt the same bit. 

3. T and C sign a := ajac using the certified signature scheme. 
This signature (and a) is sent to W (through C). 

4. W verifies the signature and finds the encrypted bit by deciphering a. 
This protocol has the following properties: 

• If C follows the protocol: No matter what (an unlimited powerful) T does, a is 
a random encryption of b. Furthermore, the signature on a does not contain any 
information other than the fact that a legal T produced it. 

• If T follows the protocol, then a is an encryption of b as long as C cannot fake T's 
signatures (or break the tamper-proofness). 
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• It does not make it easier for T and/or C to find b unless W tells them how to 
distinguish encryptions of 0 from encryptions of 1 modulo n w . 

The proofs of these properties are quite straightforward, and they are omitted from this 
extended abstract. The organization, W, can write a bit, b. in a given field in the database 
as follows: 

1. T chooses a-? £ {0. 1} and r T 6 at ran ^ om atK l sends aj '■= ( — i) aTr r mo & n w 



2. C chooses a c € {0, 1} and $c € Z~ w at random and sends etc '■= ( — l) aCs c mo ^ nw 



3. T and C sign a ajac in the certified signature scheme. This signature (and a) 
is sent to W (through C). 

4. W verifies the signature and finds the bit a by deciphering a. 

5. W and C choose r £ 2Z nw at random using a coin-flipping protocol. 

6. W then computes b' = a b and aw := ( — Vfctr 2 , which it subsequently signs. W 
sends the signature [aw) to C . 

7. C computes aw, verifies aw and computes ;3 C :— ayyQj 1 and 3t '■— an( i r c : = 



C \ ac © 1 if cciv = — ar 2 . 
C then forwards atv and a w to 7\ 

8. T verifies the signature and computes ,3c := Qiyctr 1 and 3-p : = 0.7 and lets br — 

This protocol satisfies (again the proofs are omitted): 

• If T, C and W follow the protocol then after the execution the following holds: 

1. 3t = BC{nw-bj.r T ); 

2. 3c = BC{n w ,bc,r c ); 

3. b — bx S) be ■ 



• If C cannot fake T"s or H'"'s signatures then b<~bx equals the plaintext corresponding 
to 3c- 



• After the execution bQbc equals the plaintext corresponding to 3j no matter what 
an unlimited powerful T does. 

• C and/or T can only find b if they can distinguish quadratic residues from quadratic 
non-residues modulo n W - 



to C. 



to T. 



rsc and 




,-2 
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• If C follows the protocol, then W just gets a signature on a random encryption of a 
random bit. Similarly, T just gets a random encryption of a random bit chosen by 
W. 

In the above two protocols the amount of inflow and outflow is very limited. Note, that W 
could have told T the factorization of nw in advance. Hence. T learns the bit. However, 
this does seem to be a serious problem as W already knows this bit. 

6 Conclusion and Future Work 

We have argued that the electronic wallets presented here are an excellent way to store 
personal databases. And we have shown protocols that allow T to control and validate 
all messages from the user to the outside world. These protocols allow C to ensure that 
the privacy of the person is not compromised. They provide organizations with security 
against abuse by individuals that relies on the assumption that the tamper-proofness 
cannot be broken and that the signatures cannot be forged. 

The protocols presented do, however, have a limited kind of inflow because T and W 
see the same random values (such as those used to form the signatures). In case T gets 
captured, these values would let organizations who could read out the contents of a cap- 
tured T link it to specific protocol instances. Forthcoming joint work with Stefan Brands. 
Ronald Cramer and Niels Ferguson shows how the need for observers and organizations 
to share such information can be avoided altogether. 
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Abstract. We show how to break an electronic cash protocol due to 
van Antwerpen (a refinement of the system proposed by Chaum, Fiat, 
and Naor), and give an alternative protocol that fixes the problem. 

1 Introduction 

There has been much recent interest in electronic money — ways to perform mon- 
etary transactions by computer, telephone, fax machine, etc. Most proposed elec- 
tronic money schemes rely on cryptography for their security, in particular, on 
digital signatures [7]. 

In response to privacy concerns, electronic money systems in which payments 
are untraceable without the cooperation of the payer have been developed. This 
untraceable electronic money is called electronic cash. The cryptographic mech- 
anism used to provide untraceability is that of blind signatures [3]. 

Several different forms of electronic cash have been proposed. In addition to 
electronic coins [4], which have a fixed value, there are electronic checks [4] [2], 
which can be used for any amount up to a maximum value and then returned 
for a refund of the unused portion, and divisible electronic cash [5], which can 
be broken into smaller pieces that can be spent separately. 

We concentrate on a recent electronic check scheme [1] that is based upon 
earlier check schemes, but with great improvement in efficiency. We show how 
a weakness in the refund mechanism of the earlier systems becomes a fatal flaw 
in the newer system, and how that flaw can be exploited to cheat undetectably. 
We propose a revised protocol to correct the flaw. 

2 Transactions 

We call the participants in an electronic cash system the bank, the user, and the 
shop. The bank is the issuer of the electronic cash. The user obtains electronic 
cash from the bank in a withdrawal transaction, spends it at a shop in a payment 
transaction, and the shop then redeems it at the bank in a deposit transaction. In 
addition, for electronic check systems, the unused portion of a check is returned 
by the user to the bank in a refund transaction. 

We distinguish the user and the shop only to emphasize their roles in a 
payment; in fact, users can act as shops and shops can act as users. The user 
and the shop are also called the payer and the payee, respectively. 
E.F. Bnckell (Ed.): Advances in Cryptology - CRYPTO '92, LNCS 740, pp. 106-112, 1993. 
© Sponger- Verlag Berlin Heidelberg 1993 
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3 Checks 

Untraceable electronic checks were introduced by Chaum, Fiat and Naor [4], 
and refined by den Boer, Chaum, van Heyst, Mj0lsnes, and Steenbeek [2], with 
a significant improvement in efficiency. Checks are made up of three kinds of 
elements: challenge terms, denomination terms, and refund terms. 

Challenge terms are used to prevent double-spending of a check. Each chal- 
lenge term a contains a random a,- chosen by the user, as well as a; © u, where 
u is the user's identity (bank account number). During payment, each challenge 
term is opened to reveal either a, or a; © u, depending on the corresponding bit 
of a challenge chosen by the shop. If a check is spent with two different chal- 
lenges, then (for some i) both a; and a< © u will be revealed, from which u can 
be obtained. 

Denomination terms are used to represent the value of the check. Each de- 
nomination term d, contains a unique coin number 6^ , and corresponds to a dif- 
ferent power-of-two denomination. The denomination terms are either ordered 
or are signed with different roots to indicate which denomination they repre- 
sent. During payment, only those terms corresponding to denominations used 
are actually opened. In order to keep the user from mixing terms from different 
checks (which would expose the protocol to a simple attack), the challenge and 
denomination terms are tied to a check number. The shop (and the bank) can 
easily verify that all the terms presented for payment (or deposit) belong to the 
same check. 

Refund terms are used to obtain refunds for unspent denomination terms in 
a check. Unlike the other terms, they are not tied to the check number. If they 
were, the bank could link deposits to their corresponding refunds, defeating 
the untraceability of the scheme. Instead, the refund terms r,- contain the same 
coin numbers bi as the denomination terms. The bank keeps track of spent and 
refunded coin numbers to ensure that a denomination is not both spent and 
refunded. 

The coin numbers and identity numbers are built into the terms by the 
user. Because the terms are blinded for untraceability, the bank doesn't actually 
see these numbers at the time of withdrawal. To ensure that the terms are 
correctly formed, the protocol uses the cut-and-choose methodology introduced 
by Rabin [6]: the bank asks for more candidate terms than it actually needs, 
chooses a random subset of them and asks the user to demonstrate that they 
are well- formed, and uses the remaining unopened candidates only if all of the 
opened candidates were legitimate. We will assume that the bank asks for twice 
as many candidates as it needs, so that the probability of the user getting caught 
attempting to slip in a single bogus term is 1/2. 

This is the source of the weakness in these check systems. With probability 
1/2, the user can slip a bogus candidate past the bank. If there are enough 
challenge terms, a single bogus challenge term is unlikely to be of much use to 
a cheater, because the probability is still overwhelming that two challenges will 
differ at some other position. A user who tries to slip enough bad challenge terms 
into a check to cheat effectively will with high probability be caught. 
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For the other terms, though, this presents a problem. If the user can slip in a 
denomination term/refund term pair for which the coin numbers b t don't match, 
then that denomination can be both spent and refunded, findetectably. 

To address this problem, Chaum, Fiat, and Naor suggest penalizing detected 
cheating attempts so that the net expected effect favors the bank. This solution 
is somewhat unsatisfying. At the time of the detection — withdrawal — the user 
has not yet cheated (by spending and refunding the same term). When a bad 
term is detected, the user may claim it is due to a data error, or may even refuse 
to open a bad term, claiming that the data has been lost. Since data errors and 
losses do occur, it would be difficult for the bank to fully justify imposing the 
penalty. 

Another possibility is to require more than one pair of terms for each denom- 
ination; Chaum, Fiat, and Naor suggest using two, as an alternative to imposing 
penalties upon detection. This would lower the probability of cheating because 
in order to escape detection, both pairs would have to be bad. The more pairs 
make up a denomination, the lower the chance of successfully cheating, but the 
bigger and costlier to handle the check becomes. 

As we will see, this troublesome problem proves to be fatal in the latest 
incarnation of the system. 

4 "Improved" Electronic Cash 

A new protocol by van Antwerpen [1] further refines this electronic cash system. 
This is a sophisticated protocol with order-of-magnitude improvements in both 
the size of the checks (and consequently the amount of storage required for 
them) and the amount of communication required, at the expense of some extra 
computation that can be done in the background. For efficiency reasons, several 
checks are grouped into a single pack; during withdrawal the user obtains an 
entire pack from the bank, but then spends them one at a time. 

For a complete description of the protocol, the reader is referred to van Ant- 
werpen 's paper, but we will give a brief synopsis. A pack of k checks is made up 
of 2k pseudochecks and 2k pseudo-refund-parts, each of which is a single RSA- 
sized number. The terms that make up each pseudocheck (pseudo-refund-part) 
are multiplied together in such a way that they can later be separated. The 
pseudochecks contain the denomination and challenge terms, and the pseudo- 
refund-parts contain the refund terms. The terms that make up an actual check 
(refund part) are distributed among the pseudochecks (pseudo-refund-parts) by 
permutations chosen by the bank. The refund terms in the pseudo-refund-parts 
are also permuted by the user so that they won't line up with the correspond- 
ing denomination terms in the pseudochecks. This is to prevent the bank from 
gleaning information that might be used to link by by amount, i.e., to link a 
deposit to a corresponding refund by checking that they are for complementary 
amounts . 

In addition, the cut-and-choose process has been modified. The bank still 
chooses a random subset of the terms, and the user still provides opening infor- 
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mation for those terms, but the bank, rather than verifying that they are correct 
(which would be difficult because of the way the pseudochecks are formed), in- 
stead multiplies the resulting pseudocheck by a protection factor that renders 
it useless if the user lied about any of the opened terms. Veugen [8] has proved 
that the security of this technique is equal to that of the original, in the sense 
that if the user attempts to cheat, the probability that she will be unable to use 
the resulting checks is the same as the probability that she would be caught by 
the original cut-and-choose process. 

But this is precisely where the new protocol is flawed. Although there is 
still no problem with the challenge terms, recall that the solution (of imposing 
penalties) to the problem with the refund terms relied upon detection by the 
bank of cheating attempts. With this new mechanism, cheating attempts are 
never detected. 

Let 6,- be the coin numbers in the denomination terms and 6- be the coin 
numbers in the refund terms. The user could make 6; ^ b\ for all i. Then when 
asked to open some terms, the user provides the so that she will be able to 
remove the protection factors. The opened terms are divided out of the check, 
but the user will be able to both spend and refund all of the denominations that 
actually make up the check, undetectably. Needless to say, this is not a desirable 
property of an electronic cash system. 

5 Attempted Fixes 

There are several ways that one might attempt to patch the protocol. One pos- 
sibility is to put protection factors on the pseudo-refund-parts in addition to 
the ones on the pseudochecks. That way if the user were asked to open the «th 
terms, where ^ b[ , then if she produced fc,- she wouldn't be able to refund 
the term, and if she produced she wouldn't be able to spend it. So in the 
previous scenario (with 6,- £ b[ for all i), she would still be able to spend all of 
the denomination terms, but not be able to refund any of the refund terms, and 
so would gain nothing. 

But this isn't good enough. The user need not make all of the denomina- 
tion/refund pairs bad. If only some are bad, it is possible that the bank won't 
select any of them during the cut-and-choose. The fewer bad terms there are, 
the more likely that they will all slip by. Whenever the bank picks a bad term 
to be opened, the user won't gain anything, because she'll only be able to spend 
the check and not refund any of it. But she won't lose anything either. Since the 
attempts are undetectable, she can just keep trying until she succeeds. 

To work around this, we could add an extra refund term that has no corre- 
sponding denomination term, so that the user must refund it or else lose money. 
But this isn't quite good enough either, because the user could reveal the coin 
numbers 6- from the refund terms instead of the coin numbers 6, from the de- 
nomination terms, and when "caught," she would just refund the whole check 
and not spend any of it. To prevent this, we would need also to add an extra 
denomination term that has no corresponding refund term, forcing the user to 
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spend as well as to refund. This works after a fashion, provided that the values of 
these extra terms are large enough to ensure negative expectation from cheating 
attempts, but it is cumbersome and makes the checks inconvenient to use. We 
will present a much cleaner solution. 



6 A Modified Protocol 

Our problems stem from the difficulty of ensuring that two coin numbers that are 
provided separately are in fact the same. The solution is actually quite simple — 
just provide a single coin number and use it for both terms! With the earlier 
systems, it is difficult to see how to do this without compromising the unlinka- 
bility of the terms, but in the newer system it is fairly straightforward. 

In van Antwerpen's system, candidates provided by the user to the bank 
during withdrawal look like 

X^R^llFia^llGibif^ (1) 

i i 

Y =T r S Q Y[G(b i ) < >' (2) 

i 

where X is a pseudocheck candidate, Y is a pseudo-refund-part candidate, R, S, 
and T are blinding factors, the P's and Q's are exponents related to the prime 
roots used for signatures, the F s are challenge terms with random numbers a { 
(as well as a; © u) incorporated, and the G"s are denomination or refund terms, 
with the random coin numbers incorporated. There are multiple X and Y for 
a given check pack; not shown here is a collection of permutations 6i chosen by 
the user, the ith refund term of the jth pseudo-refund-part, corresponds to the 
ith denomination term of not the j'th pseudocheck, but rather the #i(j)th pseu- 
docheck. These permutations are to prevent the bank from linking by amount, 
as previously mentioned. 

For now we will ignore these permutations as well as the blinding factors. 
Note that the basic form of X and Y are 

X = l[F(a i f^llG(b i f^ (3) 

i i 

y = U G ^ Q ' < 4 ) 

i 

The bi are given in both X and Y, and it is difficult to ensure that they in fact 
match. But instead of giving X and Y to the bank, the user can instead give 

X l =l[F(a i f' (5) 

i 

X^UCib,)^ (6) 
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and now the bank can compute 




(7) 
(8) 



Y = Xn 



and voila!, the denomination and refund terms are now guaranteed to contain 
the same coin numbers. 

This is the primary protocol change. Except for the refund transaction, the 
rest of the protocol is the same as before. 

We ignored the blinding factors and the user permutations. The blinding 
factors are not a problem; we could just put blinding factors as before on Xi 
and X 2 . The resulting X would have a different blinding factor from the original 
protocol because it would be the product of the two blinding factors, but that 
has no detrimental effects on either the privacy or the security of the system. 

The permutations are another matter. Because the denomination and refund 
terms are now provided together as a single unit, there is no way to put them 
in separate places as before. This may not be as serious as it seems, because we 
need not refund the pseudo-refund-parts in the same order in which we with- 
drew them, so linking by amount can be made very difficult. Still, it would be 
preferable for the new protocol to leak no more information than the old. In the 
next section we will show how to recapture the full degree of unlinkability by 
slightly altering the structure of the blinding factors. 

7 Regaining Lost Privacy 

Notice that the pseudo-refund-part candidate has two blinding factors, X"~ and 
. The blinding factor T r is used to blind during withdrawal (r is the prime 
root used to sign the pseudo-refund-part, so the user can divide by T afterwards). 
The blinding factor is used during refund; terms that have been spent are 
moved into this blinding factor so that they are not revealed when refunding the 
unspent terms. 

If the user could separate out and refund each unspent term individually, 
she could rearrange them into any order she wanted, getting the same privacy 
effect as from the permutations . Although she could do this just by moving 
unspent terms along with spent terms into the blinding factor, she would have 
to do it once for each unspent term in the pseudo-refund-part, and the resulting 
blinding factors would be correlated because they would contain some of the 
same factors. The bank could use this fact to link terms that come from the 
same pseudo- refund-part, undoing the privacy gain we thought we had achieved. 

If we change the refund blinding factor, however, to be of the form S Qr , 
then we can make this work. After the bank takes the rth root, the user is left 
with S Q rather than 5 < ^ r , which means that she can change S. She couldn't do 
this before because she couldn't extract rth roots. By changing the S for each 
separated unspent refund term, the user can make them unlinkable from each 
other. 
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By making this change to the blinding factors we can recapture all of the 
privacy lost by eliminating the permutations 0, . The rest of the protocol is also 
simplified by the elimination of the permutations. The cost is in efficiency: each 
refund term from the same pseudo-refund-part must be separated and refunded 
separately. But the blowup is only by the average number of unspent denom- 
inations per pseudocheck, and can be traded off against a slight increase in 
traceability if desired. 
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Abstract. We show how to construct public-key cryptosystems that ait fair, that is, 
strike a good balance, in a democratic country, between the needs of the Government and 
those of the Citizens. Fair public-key cryptosystems guarantee that: (1) the system cannot 
be misused by criminal organizations and (2) the Citizens mantain exacdy the same rights to 
privacy they currendy have under the law. 

We actually show how to transform any public-key cryptosystem into a fair one. The 
transformed systems preserve the security and efficiency of the original ones. Thus one can 
still use whatever system he believes to be more secure, and enjoy the additional properties 
of fairness. Moreover, for today's best known cryptosystems, we show that the 
transformation to fair ones is particularly efficient and convenient 

As we shall explain, our solution compares favorably with the Clipper Chip, the 
encryption proposal more recently put forward by the Clinton Administration for solving 
similar problems. 

Note For The Reader. Since privacy and law enforcement interest most of society, 
and since we would welcome an informed debate before making crucial policy decisions in 
this area, we have made a sincere attempt to reach a broad audience. We thus hope that at 
least the goals and the properties of our approach will be understandable by the 
Government official and the Citizen who do not have any familiarity with cryptography. 
Further, the basic technical ideas of our solution —which are quite simple to begin with- 
are presented at a very intuitive level, so as to be enjoyable for the reader generally familiar 
with the field of cryptography, though not necessarily an expert in secure protocol design. 
Such an expert will not have great difficulty in filling in the formalization and the 
occasionally subtle technical details that have been omitted in this draft. (We actually hope 
to have given her sufficient indications to make her journey through this draft as short as 
possible.) 

We apologize for not having the time to write different versions of this paper for different 
audiences. 
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1. Introduction 
A wrong debate 

Currently, Court-authorized line tapping is an effective method for securing criminals to 
justice. More importantly, in our opinion, it also prevents the further spread of crime by 
deterring the use of ordinary communication networks for unlawful purposes. Thus, there 
is a legitimate concern that wide-spread use of public-key cryptography may be a big boost 
for criminal and terrorist organizations. Indeed, many bills propose that a proper 
governmental agency, under the circumstances allowed by the law, be able to obtain the 
clear text of any communication over a public network. At the present time, this 
requirement would translate into coercing citizens into either (1) using weak cryptosystems 
--i.e., cryptosystems that the proper authorities (but also everybody else!) could crack with 
a moderate effort— or (2) surrendering, a priori, their secret key to the authority. It is not 
surprising that such alternatives have legitimately alarmed many concerned citizens, 
generating the feeling that privacy should come before national security and law 
enforcement. 

It is our opinion that this debate is wrong. It is wrong because it is a "one-bit debate," that 
is, it envisages either unconstrained privacy or no privacy at all. Extreme positions are 
more likely to be unjust and, indeed, having to choose only between the above alternatives 
is quite uncomfortable. Fortunately, we are not bound to choose only among what is 
currently available. It is indeed the goal of Science to understand reality and to change it to 
our advantage, so as to enlarge our options. 

Broadening the debate 

In this paper we show how cryptographic protocols can be successfully and efficiently 
used to build cryptosystems that are fairer, that is, that strike a better balance, in a 
democratic country, between the needs of society and those of the individual. More 
precisely, we show a simple and general methodology for transforming any public-key 
cryptosystem into a. fair one, that is, one enjoying the following properties: 

1 { Unabusing) The privacy of the law-obeying user cannot be compromised, while 

2 (Unabusable) Unlawful users will nor enjoy any privacy. 

Our transformation preserves the original security of the underlying cryptosystem and its 
efficiency. Since we believe that public-key cryptosystems are best suited for adoption in a 
large nation, in this paper we solely focus on making fair this type of cryptosystems. 

2. Public-Key Cryptosystems 

A conventional cryptosystem allows two users X and Y, who have previously agreed on a 
common secret key (e.g., by meeting in a secure physical location) to exchange private 
messages over a public network. The usefulness of such systems is quite limited. While 
there is plenty of need for private communication, agreeing on a common secret key 
without the help of a modern communication network is quite cumbersome. In the case of 
the military it may not be too inconvenient, since in this application it may be clearer 
beforehand with whom one will need to exchange private messages. But in other cases, as 
in business applications, it is very hard to know a priori with whom one will need to talk in 
private and thus establish a common secret key in advance. The type of cryptosystem best 
suited for these latter settings is a public-key cryptosystem (PKC for short) as introduced 
by Diffie and Hellman in [DiHe]. While in a conventional cryptosystem each secret key 
was used both for encrypting and decrypting, in a PKC the encryption and decryption 
processes are governed by pairs of matching keys, which are generated together so to 
satisfy the following three properties: letting (E,D) be one such pair of matching 
encryption/decryption keys. 
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1 Any message can be encrypted using E. 

2 Knowledge of D enables one to read any message encrypted with E; on the 
contrary, ignoring D it is practically impossible to understand messages encrypted 
with E. 

3 Knowing E does not enable one to compute its corresponding decryption key D. 

PKCs thus dismiss the need for agreeing beforehand on a common secret key, by using 
instead a bit of initial interaction. Assume that a user X generates a pair of matching 
encryption/decryption keys (Ex,Dx), and that a user Y wants for the first time to send him 
a private message and tells him so. Then X sends Ex to Y over the phone; Y easily 
encrypts her message to X with Ex because of Property 1 ; X easily decrypts it because of 
Property 2; and, because of Properties 2 and 3, no one else can understand the message so 
exchanged. Interaction (like in the case of electronic mail) is not however always available, 
and PKCs are thus most useful by having stipulating what de facto is a "social agreement' 
between users and a key-management center. Each user X comes up with a pair of 
matching encryption and decryption keys (Ex.Dx)- After generating a (Ex,Dx) pair, the 
user keeps Dx for himself and gives Ex to the key-management center. The center is 
responsible (and is trusted!) for updating and publicizing a directory of correct encryption 
keys, one for each user --i.e.. a list of entries of the type (X,Ex) which, for example, may 
be publicized in a "phone-book format" or via a "4 1 1 -like service." If, as in the latter 
example, this distribution occurs over a public network, a digital authentication that Ex 
comes from the center must be provided, for instance by using one of the existing digital 
signature schemes. Clearly the users must trust the center, as an untrustworthy center may 
enable a user Y to read the messages intended for user X by falsely claiming that Ey is X's 
encryption key. Thus, in ultimate analysis, the security of a PKC depends on the key- 
management center. Since setting up such a center on a grand scale requires a great deal of 
effort by society, the precise protocols the center must follow (and thus its properties) must 
be properly chosen. 

Every advantage has a drawback, and public-key cryptography is no exception. Here a 
main disadvantage is that any such system can be abused; for example, by terrorists and 
criminal organizations who can now conduct their illegal business with great secrecy and 
yet with extreme convenience. Very often scientists have jumped into new technical 
ventures without giving much thought to the consequences of their actions. Developing 
nuclear plants without solving first their associated nuclear waste problems is a notable 
example of the social blindness of Science in this century. Certainly, all of us envisage 
good uses for public-key cryptography, but the risk exists that the main fruits of this 
development may be harvested by criminal organizations, and it is thus our responsibility to 
give a more thorough thought to the matter. Fair Public-Key Cryptosystems (Fair PKCs 
for short) are our proposal to enjoy public-key cryptography while protecting society from 
the problems arising from its blind utilization. We hope that our proposal will start a fruitful 
scientific debate, and other scientific solutions will be sought to this important problem in 
order to avoid further plaguing a crime-ridden world. 

3. Fair PKCs 

3.1 The Informal Notion of a Fair PKC 

Let S be a public-key cryptosystem. Informally speaking, we say that 

S is a Fair PKC if it guarantees a special agreed-upon party -and solely this party!- 
under the proper circumstances envisaged by the law --and solely under these 
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circumstances!-- to understand all messages encrypted using S, even without the 
users' consent and/or knowledge. 

That is, the philosophy behind a Fair PKC is improving the security of the existing 
communication systems while keeping the legal procedures already holding and accepted 
by the society. The following proposition immediately follows from the above definition. 

Proposition: Let C be a ciphertext exchanged by two users in a Fair PKC S. Then, 
under the proper circumstances envisaged by the law, the proper third party will either 

1) find the cleartext ofC relative to S (whenever C was obtained by encrypting a 
message according to S ) or 

2) obtain a (court-presentable) proof that the two users were not using S for their 
secret communication. 

Of course, if using any other type of public-key cryptosystem were to be made illegal, Fair 
PKCs would be most effective in guaranteing both private communication to law-obeying 
citizens and law enforcement. (In fact, if a criminal uses a phone utilizing a Fair PKC to 
plan a crime, he can still be secured to justice by court-authorized line tapping. If he, 
instead, illegally uses another cryptosystem, the content of his conversations will never be 
revealed even after a court authorization for tapping his lines, but, at least, he will be 
convicted for something else: his use of an unlawful cryptosystem.) Nonetheless, as we 
shall discuss in section 4, Fair PKCs are quite useful even without such a law. 

3.2 An Abstract Way for Constructing Fair PKCs 

We shall now present, in a very abstract way. our prefered method for constructing Fair 
PKCs. We shall see in section 5 that this very abstract and almost paradoxical method can 
not only be concretly implemented, but actually be implemented in a most efficient way. 

Below, for concreteness of presentation, we shall use the Government for the special 
agreed-upon party, a court order for the circumstances contemplated by the law for 
monitoring a user's messages, and the telephone system for the underlying method of 
communication. We also assume the existence of a key-distribution center as in an ordinary 
PKC. 

In a Fair PKC there are a fixed number of predesignated trustees and an arbitrary number 
of users. The trustees may be federal judges (as well as different entities, such as the 
Government, Congress, the Judiciary, a civil rights group, etc.) or computers controlled by 
them and especially set up for this purpose. Even if efforts have been made to choose 
trustworthy trustees, a Fair PKC does not blindly rely on their being honest. The trustees, 
together with the individual users and the key-distribution center, play a crucial role in 
deciding which encryption keys will be publicized in the system. Here is how. 

For concreteness of exposition, assume that there are 5 trustees. Each user independently 
chooses his own public and private keys according to a given double-key system. Since the 
user himself has chosen both keys, he can be sure of their "quality" and of the privacy of 
his decryption key. He then breaks his private decryption key into five special "pieces" 
(computing from his decryption key 5 special strings/numbers) possessing the following 
properties: 

1) The private key can be reconstructed given knowledge of all five special pieces; 
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2) The private key cannol be reconstructed if one only knows (any) 4, or less, of 
special pieces; 

3) For i=l,...,5, the i'-th special piece can be individually verified to be correct. 

Comment. Of course, given all 5 special pieces, one can verify that they are correct by 
checking that they indeed yield the private decryption key. The difficulty and power of 
property 3 consists of the fact that each special piece can be verified to be correct (i.e., that 
together with the other 4 special pieces yields the private key) individually; that is, without 
knowing the secret key at all, and without knowing the value of any of the other special 
pieces! (How these special pieces can be generated is explained in the full paper. Below we 
will show how they can be used. ) 

The user then privately (e.g., in encrypted form) gives trustee / his own public key and the 
i'-th piece of its associated private key. Each trustee individually inspects his received piece, 
and, if it is correct, approves the public key (e.g., signs it) and safely stores the piece 
relative to it These approvals are given to the key-management center, either directly by the 
trustees, or (possibly in a single message) by the individual user who collects them from 
the trustees. The center, which may or may not coincide with the Government, itself 
approves (e.g., it itself signs) any public key which is approved by all trustees. These 
center-approved keys are the public keys of the Fair PKC and they are distributed and used 
for private communication as in an ordinary PKC. 

Since the special pieces of each decryption key are privately given to the trustees, an 
adversary who taps a user's communication line possesses the same information as in the 
underlying, ordinary PKC. Thus if this is secure, so is the Fair PKC. Moreover, even if 
the adversary were one of the trustees himself, or even a cooperating collection of any 4 out 
of five of the trustees, due to property 2, he would still have the same information as in the 
underlying ordinary PKC. Since the possibility that an adversary corrupts 5 out of 5 federal 
judges is absolutely remote, the security of the resulting Fair PKC is the same as in the 
underlying, ordinary one. 

When presented with a court order, and only in this case, the trustees will reveal to the 
Government the pieces of a given decryption key in their possession. This enables the 
Government to reconstruct the given key. Recall that, by property 3, each trustee has 
already verified that he was given a correct piece of the decryption key in question. Thus, 
the Government is guaranteed that, in case of a court order, it will be given all correct 
pieces of any given decryption key. By property 1, it follows that the Government will be 
able to reconstruct any given decryption key if necessary. 

4. Basic Questions About Fair PKCs 

Before addresing the real technical question of how Fair PKCs can be concretly 
constructed, let us consider some legitimate and broader questions. 

Q Are Fair PKCs less secure? 

A No. Unless an adversary corrupts 5 out of 5 trustees —a rather unlikely event- they 
provably provide just the same security as the underlying, ordinary PKC. (Only 
the Government, and in case of a court order, may have the cooperation of all 5 
trustees.) 

Q Are Fair PKCs less efficient? 
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A: No. Communication is exactly as efficient as in an ordinary PKC. The only 
differences are (1) when a public-key is registered, and (2) when a private key is, in 
a lawful manner, retrieved by the Government. Each user validates his public key 
only once. Thus only once does he need to give pieces of his private key to the 
trustees. Moreover, as we have seen in section 4, this step can be implemented by 
sending 5 short messages, one to each trustee. Second, the lawful reconstruction of 
a private key by the Government is essentially instantaneous once the five special 
pieces are obtained from the trustees. Collecting these five pieces electronically is 
no more cumbersome than issuing or checking a court order as it is needed in a 
lawful procedure. (As we have seen in section 4, private-key reconstruction may 
just consist of receiving 5 short messages and one addition.) 

Q In a totalitarian system, what confidence can we have in a Fair PKC? 

A: Most probably, in a totalitarian system the trustees will be selected with rather 
different criteria. It is thus conceivable that all of them (whether individuals or 
organizations) may routinely conspire so as to reconstruct all private keys, 
destroying all confidence in the privacy of a Fair PKC. On the other hand, believing 
that ordinary PKCs may be the way to guarantee individual privacy during a 
dictatorship is quite naive. Outlawing any form of PKC will be among the first 
measures taken by any dictator. Indeed, public use of cryptography is a gift of 
democracy (and it is important that this gift cannot be turned against it). In fact, Fair 
PKCs are close in spirit to Democracy itself, in that power is not trusted to any 
chosen individual (read "trustee") but to a multiplicity of delegated individuals. 

Oj Aren't Fair PKCs the same as ordinary PKCs in which users are obliged to give the 
Government the private key corresponding to every public key? 

A No. This deprives the individual of his right to privacy a priori and without any just 
cause. Someone who has not committed (nor is suspected to have committed) a 
crime should not be required to surrender his right to private communication to 
anybody, not even to the Government. And this is exactly what he would be 
obliged to do by revealing his own private key at the time of registering his public 
one with the key-management authority. 

People consent that their right to privacy may be taken away under special 
circumstances, but do not agree to lose it in an automatic manner. Fair PKCs 
guarantee the users that they will keep exactly the same rights they currently have in 
a phone network, and with greater security. (In fact, due to technological advances 
or collusions with phone operators, eavesdropping ordinary phone conversations 
will become easier and easier for unauthorized parties.) 

Q What is the difference between a Fair PKC and a PKC with a "hidden trapdoor" 
chosen by the Government? 

A: There are three main differences: 

1) A PKC with a hidden trapdoor is very dangerous: if an enemy finds it, the 
security of the entire system is compromised. 

By contrast, in a Fair PKC, each user chooses his key independently. Thus even if 
a single user's key is compromised, this does not affect other users at all. 



119 



2) Society may never consent to using a PKC with a hidden trapdoor, since this is 
equivalent to asking the citizen to surrender their right to privacy even before being 
suspected of any wrong doing! (On the other hand, should a government 
maliciously ask its citizens to use a special type of PKC concealing the presence of 
a master secret key, things may get quite unpleasant if the existence of such a key is 
later discovered!) 

3) PKCs with a hidden trapdoor may be weaker than ordinary PKCs, since in the 
former case the public and private keys must be chosen in a constrained way. In 
fact, enforcing the existence of a single master secret key for all public keys in the 
system is a very severe constraint in choosing the individual users' keys. Indeed, it 
is easy to speak of a system with a single master key, but it is also quite conceivable 
that any such cryptosystem may be easy to break. 

By contrast, a Fair PKC, unless all trustees unlawfully collaborate, offers the same 
security of the underlying PKC. Even if 4 out of 5 trustees are traitors, the time that 
an adversary should invest for understanding anything about a message encrypted 
in a Fair PKC provably equals the time he needs to invest when the same message 
has been encrypted in the underlying ordinary PKC. 

Granted that Fair Cryptosysteins protect Society and the individual. But what is 
their advantage if criminals do not use ihem for their communications? 

We must distingush two settings: First, when the use of any PKC which is not Fair 
is made illegal. Second, when all commercially available PKCs are Fair (e.g., 
because thay are the only ones to be standardized), even though non-Fair PKC are 
not illegal. 

Setting 1 has a short answer: a criminal who uses a non-Fair PKC could be brough 
to justice at least on this charge (recal that Al Capone was convicted for tax 
evasion). 

Let us now consider setting 2. First, note that this is the current setting: anyone in 
the U.S.A. can use any cryptosystem he or she chooses (though the market for 
encryption product has not yet reached its full potential). Still, if Society ensures, 
via Standardization, that all easily available PKCs are Fair, there arc big advantages 
to be gained. 

1) Criminals will have difficulty in distributing their own keys. 

In fact, they could not enjoy the convenience of a well-kept and well-publicized 
public file; that is, they could not call up anyone they want and have a secret 
conversation with her. They thus would need alternative, cumbersome, and 
secretive methods to exchange their own keys. 

In other words, it is one thing that criminals go out of their way to avoid being 
controlled by the Government in presenc of a court order, and a very different thing 
that the Government goes out of their way to provide criminals with this capability 
by setting up an ordinary PKC on a grand scale! 

2) Besides difficulty in key distribution, criminals will have no convenient access 
to "alternative" cryptographic products which use their keys. 
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In fact, most products whose usefulness may be greatly enhanced by public-key 
cryptography --such as "secure" phones, "secure'' faxes, etc.- could become 
reasonably available, economic, reliable, and compatible, only if mass produced; 
that is. only after intensive engineering effort and big initial investments. Thus, if 
essentially only the criminals were to use non-fair cryptography, industry would 
not have sufficient interest in developing products incorporating such technology. 
(Else, the "criminal market" should have grown so much that we would have 
nothing more to worry about: civil society as we know it would have already ceased 
to exist.) Also, big and reputable companies would refrain anyway from 
manufacturing "questionable'* products. Finally, even if a company were willing to 
manufacture products utilizing non-Fair PKCs, the list of its customers or any 
record of its sales would be excellent dps for the Police. 

3) In an ordinary PKC, the Government is in a difficult position. Since it cannot 
understand any conversation at all, it has no way to distinguish even potential 
criminals from non-criminals (setting aside what criminals are saying). In a Fair 
PKC, instead, the Government can at least make this distinction. Assume that a Fair 
PKC is standardized, X is one of its users, and a court order authorizes the 
Government to listen to all messages addressed to X. If the Government is still 
unable to understand these calls, it means that X really uses a different 
cryptosystem, and thus intends not to be understood by the Government even in 
case of a court order. This may be crucial information, and information not 
available in an ordinary PKC. 

4) If all commercially available cryptographic products (e.g., "secure" phones) 
were based on Fair-PKCs, there would be several advantages. True: a powerful 
criminal organization could succeed in having designed and produced phones made 
secure by a non-Fair PKC. This would, "however, be less easy for isolated 
criminals; moreover, it would be most inconvenient for two or three people to get 
hold of "alternative" products just to discuss their FIRST crime. At least, Fair 
PKC-based products prevent their initially (but no longer) honest buyers from 
conveniently and undetectably shift to illegal communications. 

5) In any case, punishing abuse is secondary with respect to enabling legitimate 
use. 

Fair PKCs may strike a good balance between the needs of the Government and 
those of the citizens in a democratic country, but: is there any use of Fair PKCs for 
"less democratic " settings ? 

Yes. Consider the case of a large organization, say a private company, where there 
is a need for privacy, there is an established "superior" -say, a president,-- but not 
all employees can be trusted since there are too many of them. The need for privacy 
requires the use of encryption. Since not all employees can be trusted, using a 
single encryption key for the whole company is unthinkable. So is using lots" of 
single-key cryptosystems, since this would generate enormous key-distribution 
problems. Having each employee use his own double-key system is also 
dangerous, since he might conspire against the company with great secrecy, 
impunity, and convenience. Obliging every employee to surrender his decryption 
key to the president is certainly more possible than in the public sector, since a 
private company need not to be too democratic an organization. But it may not be a 
good idea for many reasons, two of which are the following. First, the identity of 
the president may change, and change quite often, but an employee should not 
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change his keys for every new president. Second, a storage device containing all or 
many of the decryption keys would require to be overwhelmingly guarded. 

Even in this context Fair PKCs may be of help. Again, key distribution will not be 
a problem. Each employee will be in charge of choosing his own keys, which 
makes the system more distributed and agile. While enjoying the advantages of a 
more distributed procedure, the company will retain an absolute control, since the 
president is guaranteed to be able to decrypt every employee's communications 
when necessary. There is no need to change keys when the president does, since 
the trustees need not to be changed. The trustees' storage places need less 
surveillance, since only compromising all of them will give an adversary any 
advantage. 

Finally, Fair PKCs can be used as better secret sharing, since one has the guarantee 
that the secret will be reconstructed if all pieces (or the majority of them, depending 
on the implementation) will be made available. 

5. A Concrete But Impractical Construction of Fair PKCs 

We now show that any ordinary PKC can actually be made fair along the lines of the 
abstract construction of Section 3. The construction below, though concrete, is however 
too general for being practical, and thus more direct solutions are described in the next two 
sections for making fair the most popular, ordinary PKCs. The practically-oriented reader 
may thus prefere to procede directly to those sections. 

5.1 A Sketch For The Expert 

The expert in secure protocol theory may be satisfied with the following sketch. 
Cuttng comers, each user should (1) come up with a pair of matching public and private 
keys and give the trustees his chosen public key, (2) encrypt (by a different cryptosystem, 
even one based on a one-way function) his chosen private key, (3) give the trustees the just 
computed ciphertext and a zero-knowledge proof that the corresponding "decryption" really 
consists of the private key corresponding to the given public key, and (4) give the trustees 
shares of this decryption by means of a proper Verifiable Secret Sharing protocol. 

5.2 A More Informative Discussion 

In expanding the above sketch for the non-expert in protocol design, we feel important to 
illustrate both similarities and differences between Fair PKCs and other related prior 
notions. 

SECRET SHARING 

As independently put forward by Shamir [Sh] and Blakley [Bl], secret sharing (with 
parameters n,T,t) is a cryptographic scheme consisting of two phases: in phase 1, a secret 
value chosen by a distinguished person, the dealer, is put in "safe storage" with n people or 
computers, the trustees, by giving each one of them a piece of information, a share, of the 
secret value. In phase 2, when the trustees pool together the information in their 
possession, the secret is recovered . In a secret sharing, this storage is safe only in two 
senses: 

1 Redundancy. 

Not all trustees need to reveal their shares in phase 2: it is enough that T of them do. 
(Thus the system tolerates that some of the trustees "die" or accidentally destroy the 
shares in their possession) 
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2 Privacy. 

If less than t of the trustees accidentally or even intentionally divulge the 
information in their possession to each other or to an outside party, the secret 
remains unpredictable until phase 2 occurs. 

Secret sharing suffers, though, of a main problem: Assumed honesty; namely, 

Secret sharing presupposes that the dealer gives the trustees correct "shares" (pieces 
of information) about his secret value. This is so because each trustee cannot verify 
that he has received a meaningful share of anything. A dishonest dealer may thus 
give "junk" shares in phase 1, so that, when in phase 2 the trustees pool together 
the shares in their possession, there is no secret to be reconstructed. 

EXAMPLE (Shamir) 

The following is a secret sharing scheme with parameters n=2t+l and T=t+1. 

Let p be a prime >n, and let S belong to the interval [0,p-l], Choose a polynomial 
P(x) of degree t by choosing at random each of its coefficients in [O.p-1], except for 
the last one which is taken to be equal to S , that is, P(0)=S. Then the n shares are 

so computed: Sl-P(l) Sn=P(n). Redundancy holds since the polynomial P(x) 

can be interpolated from its value at any t+1 distinct points. (This, in turn, allows 
the computation of P(0) and thus of the secret.) Privacy holds since P(0) is totally 
undetermined by the value of P at any t points XI ... Xt different from 0 (in fact, 
any value v for P(0), together with the value of P at points XI ... Xt uniquely 
determines a polynomial). 

As it can be easily seen, if the dealer is dishonest, he may give each trustee a random 
number mod p. If this is the case, then (a) each trustee cannot tell that he has a junk share, 
and (b) in phase 2 there will be no secret to reconstruct. The consequence of this is that 
secret sharing is more useful in those occasions in which the dealer is certainly honest, for 
instance, because being honest is in his own interest. (A user that encrypts his own files 
with a secret key has a big interest in properly secret sharing his key with, say, a group of 
colleagues: if he accidentally looses it. he needs to reconstruct it!) Secret sharing alone, 
instead, cannot be too useful for building Fair Cryptosystems: we cannot expect that a 
criminal give proper shares of his secret key to some federal judges when the only purpose 
of his doing this is allowing the authorities, under a court order, to understand his 
communications! 



VERIFIABLE SECRET SHARING 

A closer connection exists between Fair PKCs and verifiable secret sharing (VSS) 
protocols. While the two concepts are not identical, a special type of VSS can be used to 
build Fair PKCs. As put forward by Awerbuch, Chor, Goldwasser, and Micali [CGMA], 
a verifiable secret sharing (VSS) scheme is a scheme that, while guaranteeing both the 
redundancy and the privacy property, overcomes the "honesty problem." In fact, in a VSS 
scheme each trustee can verify that the share given to him is genuine without blowing at all 
the shares of other trustees or the secret itself. That is, he can verify that, if T verified 
shares are revealed in phase 2, the original secret will be reconstructed, no matter what the 
dealer or dishonest trustees might do. 
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EXAMPLE (Goidreich, Micali, and Wigderson [GMW1J) 

Assume that a PKC is in place and let Ei be the public encryption function of trustee 
i. Then, as in Shamir's scheme, the deaJer selects a random polynomial P of degree 
t such that P(0)=the secret, and gives each trustee the n-vector of encryptions 
E1(P(1)) E2(P(2))...En(P(n)). Trustee i will therefore properly decode P(i), but has 
no idea about the value of the other shares, and, consequendy, whether these shares 
"define" a unique t-degree polynomial passing through them. The dealer thus 
proves to each trustee that the following sentence is true "f/you were so lucky to 
guess all decryption keys, you could easily verify that there exists a unique t-degree 
polynomial interpolating the encrypted shares." Since easily verifying something 
after a lucky guess corresponds to NP, the above is an "NP sentence." Since, 
further, the whole of NP is in zero-knowledge [GMW1], the dealer proves the 
correctness of the sentence, in zero knowledge, to every trustee. This guarantees 
each trustee that he has a legitimate share of the secret, since he has a legitimate 
share of P, but does not enable him (or him and other t- 1 trustees) to guess what the 
secret is before phase 2. 

VSS AND FAIR PKCs 

Assume that each user chooses a secret/public key pair, and then VSS shares his secret key 
with some federal judges. Does this constitute a Fair PKC Not necessarily. In a VSS 
scheme, in fact, the secret may be unstructured. That is, each trustee can only verify that he 
got a genuine share of some secret value, but this value can be "anything." For instance, if 
the dealer promises that his secret value is a prime number, in an unstructured VSS a 
trustee can verify that he got a genuine share of some number, but has no assurances that 
this number is prime. 

Unstructured VSS is not enough for Fair PKCs. In fact, the trustees should not stop at 
verifying that they possess a legitimate share of a "generic" secret number: they should 
verify that the number they have a share of actually is the decryption key of a given public 
key! The GMW scheme, as described above, is an unstructured VSS. and thus unsuitable 
for directly building Fair PKCs. The same is true for other VSS schemes (e.g. the ones of 
Ben-Or, Goldwasser and Wigderson [BeGoWi]; of Chaum, Crepeau and Damgard 
[ChCrDa}; and of Rabin and Ben-Or [RaBe], just to mendon a few). 

Some VSS schemes are structured, that is each trustee can further verify that the secret 
value of which he possesses a genuine share satisfies some additional property. What this 
property is depends on the VSS scheme used. For instance, Feldman proposes a VSS in 
which, given an RSA modulus N and an RSA ciphertext E(m)= m e mod N (of some 
cleartext message m), the trustees can verify that they do possess genuine shares of the 
decryption of E(m) (i.e., of m). This scheme is attractive in that it is "non-interactive," but 
cannot be used to hand out in a verifiable way shares of the decryption key of a given 
public key. In fact, 

the trustees have no guarantee that the decryption ofE(m) actually consists ofN's 
factorization. 

In other words, the trustees can verify that they have genuine shares of the decryption (m) 
of a ciphertext E(m), but m is unstructured (with respect to N's factorization and anything 
else). 

CONSTRUCTING FAIR PKCs WITH A GENERIC VSS 

Can a generic VSS scheme be transformed so as to yield Fair PKCs? The answer is YES, 
but at a formidable cost. All of the above mentioned VSS protocols can be "structured" so 
that the extra property verifiable by the trustees is that the dealer's secret actually is the 
decryption key of a given public key. In fact, this can be achieved as an instance of secure 
function evaluation between many parties as introduced by Goidreich, Micali, and 
Wigderson in a second paper [GoMiWibj. Such secure evaluation protocols are possible, 
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though, more in theory than in practice in light of the complexity of the particular functions 
involved. In the case of the GMW VSS scheme, since the encryption of all the shares is 
publicly known, the transformation can actually be achieved by a simpler machinery: an 
additional zero-knowledge proof. But even in this case the 

computational effort involved is formidable. Essentially, one has to encode the right 
statement (i.e., the secret, whose proper shares are the decodings of these public 
ciphertexts, is the decryption key of this given public key) as a VERY BIG graph, 3- 
colorable if and only if the statement is true, and then prove, in zero-knowledge, that 
indeed the graph is 3-colorable. Not only are these transformations of a generic VSS to one 
with the right property computationally expensive, but they require INTERACTION (on 
top, if any, of the interaction required by the VSS scheme itself)! All these considerations 
may rule out constructing Fair PKCs this way in practice. Thus CUSTOM-TAILORED 
methods should be sought, whenever possible, to transform ordinary PKCs to Fair ones. 
This is our next goal. 

6. Making Fair the Diffie-Hellman Scheme 

Let us now exhibit concrete and efficient methods for turning two popular PKCs into Fair 
ones. We start by making Fair the scheme of Diffie and Hellman, since this is the simplest 
of the two. 

Recall that, a bit differently than in other systems, in Diffie-Hellman' s scheme each pair of 
users X and Y succeeds, without any interaction, in agreeing upon a common, secret key 
S X y to be used as a conventional single-key cryptosystcm. Here is how. 

The Ordinaiy Diffie-Hellman PKC 

There are a prime p and a generator (or high-order element) g common to all users. 
User X secretly selects a random integer Sx in the interval [Lp-l ] as his private key and 
publicly announces the integer Px=g^ x mud p as his public key. Another user, Y, will 
similarly select Sy as his private key and announce Py=gSy mod p ^ n i s public key. The 
value of this key is determined as S X y=gS x -Sy mod p. User X computes Sxy by raising 
Y's public key to his secret key mod p; user Y by raising X's public key to his secret key 
mod p. In fact 

[ {gSx)Sy =f ,Sx. Sy = Sxy=^y- S*= (g Sy)Sx = mod p 

While it is easy, given g, p, and x, to compute y=g x mod p, no efficient algorithm is 
known for computing, given y and p, x such that g x =y mod p when g has high enough 
order. This is, in fact, the famous discrete logarithm problem. This problem has been used 
as the basis of security in many cry ptosy stems, and in the recently proposed U.S. standard 
for digital signatures. We now transform Diffie and Hellman 's PKC into a fair one. Again, 
to keep things as simple as possible we imagine that there are 5 trustees and that ALL of 
them should cooperate to reconstruct a secret key, that is, that ALL shares are needed to 
reconstruct a secret key. Relaxing this condition involves another idea and will be dealt 
with in section 5. 

A Fair Diffie-Hellman Scheme 
(All-Shares Case) 

Instructions for the users 

Each user X randomly chooses 5 integers Sxl Sx5 in the interval [l,p-l] and lets Sx be 

their sum mod p. From here on, it will be understood that all operations are modulo p. He 
then computes the numbers 
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t j = gSxJ j$ = gSx5 an( j p x -gS.x 

Px will be user X's public key and Sx his private key. The ti's will be referred to as the 
public pieces of Px, and the Sxi's as its private pieces. Notice that the product of the public 
pieces equals the public key Px. In fact, 

tl- ... -t5=gS x l- ... -gSx5-g(S.xl +... + Sx5) = gSx 

Let T1,...,T5 be the five trustees. User X now gives Px and pieces tl and Sxl to trustee 
Tl, tl and Sx2 to T2, and so on. It is important that piece Sxi be privately given to trustee 
Ti. 

Instructions for the trustees 

Upon receiving public and private pieces ri and Sxi, trustee Ti verifies whether g^ xl =ri. If 
so, it stores the pair (P.x,Sxi), signs the pair (Px.ti), and gives the signed pair to the key- 
management center. (Or to userX, who will then give all of the signed public pieces at 
once to the key-management center.) 
Instructions for the key-management center 

Upon receiving all the signed public pieces. tl...t5, relative to a given public key Px, the 
center verifies that the product of the public pieces indeed equals Px. If so, it approves Px 
as a public key, and distributes it as in the original scheme (e.g., signs it and gives it to 
user X.) 



This ends the instructions relative to the keys of the Fair PKC. The encryption and 
decryption instructions for any pair of users X and Y are exacriy as in the Diffie and 
Hellman scheme (i.e., with common, secret key Sxy). It should be noticed that, like the 
ordinary Diffie-Hellman, the Fair Diffie-Hellman scheme does not require any special 
hardware and is actually easily to implement in software. 

Why does this work? 

First, the privacy of communication offered by the system is the same as in the Diffie and 
Hellman scheme. In fact, the validation of a public key does not compromise at all the 
corresponding private key. Each trustee Ti receives, as a special piece, the discrete 
logarithm, Sxi, of a random number, li. This information is clearly irrelevant for computing 
the discrete logarithm of Px'. The same is actually true for any 4 of the trustees taken 
together, since any four special pieces are independent of the private decryption key Sx. 
Also the key-management center does not possess any information relevant to the private 
key; that is, the discrete logarithm of Px. All it has are the public pieces signed by the 
trustees. (The public pieces simply are 5 random numbers whose product is Px. This type 
of information is irrelevant for computing the discrete logarithm of Fx; in fact, any one 
could choose four integers at random and set the fifth to be Px divided by the product of 
the first four^. As for a trustee's signature, this just represents the promise that someone 
else has a secret piece. As a matter of fact, even the information in the hands of the center 
together with any four of the trustees is irrelevant for computing ihe private key Sx.) Thus, 
not only is the user guaranteed that the validation procedure will not betray his private key, 
but he also knows that this procedure has been properly followed because he himself has 
computed his own keys and the pieces of his private one! 

Second, if the key-management center validates the public key Px, then the corresponding 
private key is guaranteed to be reconstrucuble by the Government in case of a court order. 



The result would be integral because division is modulo p. 
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In fact, the center receives all 5 public pieces olPx, each signed by the proper trustee. 
These signatures testify that trustee Ti possesses the discrete logarithm of public piece ti. 
Since the center verifies that the product of the public pieces equals Px, it also knows that 
the sum of the secret pieces in storage with the trustees equals the discrete logarithm of Px; 
that is, user X's private key. Thus the center knows that, if a court order is issued 
requesting the private key of X, by summing the values received by the trustees, the 
Government is guaranteed to obtain the needed private key. 

It should be noticed that, for efficiency considerations, we split the verification of the 
structure of the secret among trustees and key-management center. In fact a trustee 
verifying that Sxi is the discrete log of ti cannot possibly verify that Sxi is a share of the 
secret key of public key Px, since he has never seen Px! (If we wanted we could have 
defined the public key to consist of Px tl t2 13 t4 t5. In this case giving trustee Ti the entire 
public key and the private piece (share) Sxi, we would have enabled him to verify the 
structure of the secret as well.) 



7. Making Fair the RSA Scheme 

Let us now just OUTLINE a custom-tailored method to make the RSA Fair. We will be 
more precise in the final paper. Our method, while simple algorithmically, does require 
some more knowledge of number theory. (We wish to note that our effort could be 
consirerably simplified if we were willing to make Fair not the basic RSA scheme, but 
some variants of its that essentially exhibit its same security.) 

In the basic RSA PKC, the public key consists of an integer N product of two primes and 
one exponent e (relatively prime with f(N), where f is Euler's totient function). No matter 
what the exponent, the private key may always be chosen to be N's factorization. Before 
we show how to make a Fair PKC out of RSA we need to recall some facts from number 
theory. 

Fact 1. Let Zn* denote the multiplicative group of the integers between 1 and N which are 
relatively prime with N. If N is the product of two primes N-pq (or two prime powers: 
N=p a pb), then 

* a number s in Zn* is a square mod N if and only if it has four distinct square-roots 
mod N: x, -x mod N, y, and -y mod N. (That is, x^=y^=s mod N.) Moreover, 
from the greatest common divisor of +-x+-y and N, one easily computes the 
factorization of N. Also, 

* one in four of the numbers in Zm* is a square mod N. 

Fact 2. Among the integers in Zn* is defined a function easy to evaluate, the Jacobi 
symbol, that evaluates to either 1 or - 1 . The Jacobi symbol of x is denoted by (x/N). The 
Jacobi symbol is multiplicative; that is, (x/N)(y/N)=(xy/N). If N is the product of two 
primes N=pq (or two prime powers: N=p a p*>), and p and q are congruent to 3 mod 4, then, 
letting x, -x, y, and -y mod N be the foursquare roots of a square mod n, (x/N)=(- 
x/N)=+l and (y/N)=(-y/N)=-l. Thus, because of fact 1, if one is given a Jacobi symbol 1 
root and a Jacobi symbol -1 root of any square, he can easily factor N. 
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We are now ready to describe how the RSA cryptosystem can be made fair in a simple 
way. For simplicity we again assume that we have 5 trustees and that all of them must 
collaborate to reconstruct a secret key, while no 4 of them can even predict it. 

A Fair RSA Scheme 
(All-Shares Case) 

Instructions for the user 

A user chooses P and Q primes and congruent to 3 mod 4 as his private key, and N=PQ as 
his public key. Then he chooses 5 Jacobi 1 integers Xl X? X3 X4 and X5 at random in 
Zn* and computes their product, X, and Xj 2 mod N for all i=l,...,5. The product of these 
5 squares, Z, is itself a square. One square root of Z mod N is X, which has Jacobi symbol 
equal to I (since the Jacobi symbol is multiplicative). The user thus computes Y one of the 
Jacobi -1 roots mod N. X1...X5 will be the public pieces of public key N, and the Xis its 
private pieces. The user gives trustee T; private piece Xi (and possibly the public piece). 

Instructions for the trustees 

Trustee Ti checks that X; has Jacobi symbol 1 mod N, then he squares Xi mod N. gives 
the key-management center his signature of Xj~ mod N, and stores Xi and Xi 2 (or Xi and 
N). 

Instructions for the key-management center 

The center first checks that (-1/N)=1, that is, that for all x: (x/N)=(-x/N); which is partial 
evidence that N is of the right form. Upon receiving the valid signature of the public pieces 
of N and the Jacobi -1 value Y from the user, the center checks whether, mod M, the 
square of Y equals the product of the 5 public pieces. If so, the center is now guaranteed 
that it has a split of N. To make sure that it actually has the complete factorization of N, it 
must now perform the missing procedure (i.e., a procedure whose description we 
temporarily postpone) to check that N is the product of two prime powers. If this is the 
case, it approves N. 

Again, it should be noticed that the Fair RSA scheme can be conveniently implemented in 
software. 

Why does this work? 

The reasoning behind the scheme is the following. The trustees' signatures of the Xi 2 ' s 
(mod N) guarantee the center that every trustee Ti has stored a Jacobi symbol 1 root of X t 2 
mod N. Thus, in case of a court order, all these Jacobi symbol 1 roots can be retrieved. 
Their product mod N will also have Jacobi symbol 1, since this function is multiplicative, 
and will be a root of X 2 mod N. But since the center has verified that Y- =X 2 mod N. one 
would have two roots X and Y of a common square mod N; moreover, Y is different from 
X since it has a different Jacobi symbol, and is also different from -x, since (-x/N)=(x/N); 
in fact: (a) (-1/N) has been checked to be 1 and (b) the Jacobi symbol is multiplicative. 
Possession of such square roots, by Facts 1 and 2, is equivalent to having the factorization 
of N, provided that N is a product of at most Pa'o prime powers. That's why this last 
property has also been checked by the center before it approved N. 

The reason that 4 (or less) trustees cannot factor N with the information in their possession 
is similar to the one of the discrete log scheme. Namely, the information in their possession 
solely consists of 4 random squares and their square roots mod N. This cannot be of any 
help in factoring N, since anybody could randomly choose 4 integers in Z>j* and square 
them mod N. 
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The missing procedure 

The center can easily verify that N is not prime. It can also easily verify that N is not a 
prime power by checking that N is not of the form x. v , for x and y positive integers, y>l. 
In fact, for each fixed y one can perform a binary search for x, and there are at most 
log2(N) y's to check, since x must be at least 2 if N>1. It is thus now sufficient to check 
that N is the product of at most 2 prime powers. Since no efficient algorithm is known for 
this task when N's factorization is not known, any such check must involve the user who 
chose N, since he will be the only one to know N's factorization. In the spirit of what we 
have done so far, we seek a verification method that is (1) simple, (2) non-interactive, and 
(3) provably safe. The key to this is the older idea of Goldwasser and Micali of counting 
the number of prime divisors of N by estimating the number of quadratic residues in Zjsf . 
In fact, if N is the product of no more than two prime powers, at least one number in four 
is a square mod N, otherwise at most 1 in 8 is. Thus the user can demonstrate that N has at 
most two different prime divisors by computing and sending to the center a square root 
mod N for at least, say, 3/16 of the elements of a prescribed list of numbers that are 
guaranteed to be randomly chosen. This list may be taken to be part of the system. 
Requiring the user to give the square roots of those numbers in such a random sequence 
that are squares mod N does not enable the center -or anybody else for that matter- to 
easily factor N. To make this idea viable one would need some additional details. For 
instance, the trustees may be involved in choosing this public sequence so as to guarantee 
to all users the randomness of their elements; also the sequence should be quite long, else a 
user may "shop around" for a number N' that, though product of -say- 3 prime powers, 
is such that at least 3/16 of the numbers in the sequence are squares modulo it; and so on. 
In "practice" this idea can be put to work quite efficiently by one-way hashing the user's 
chosen N to a small "random" number H(N), where H is a publicly known one-way hash 
function, and then generating a sufficiently long sequence of integers S(N) by giving H(m) 
as a seed to a reasonable pseudo-random number generator. This way, the number 
sequence may be assumed to be random enough by everybody, since the user cannot really 
control the seed of the generator. Moreover, the sequence changes with N, and thus a 
dishonest user cannot shop around for a tricky N as he might when the sequence is chosen 
before hand. Thus, the sequence chosen may be much shorter than before. If a dishonest 
user has chosen his N to be the product of three or more prime powers, then it would be 
foolish for him to hope that roughly 1/4 of the integers in the sequence are squares mod N. 
The scheme is of course non-interactive, since the user can compute on his own H(N), the 
number sequence S(N), and the square roots mod N of those elements in S(N) that are 
quadratic residues, and then sends the center only N and the computed square roots. Given 
N, the center will compute on its own the same value H(N) and thus the same sequence 
S(N). Then, without involving the user at all, it will check that, by squaring mod N the 
received square roots, it obtains a sufficiently high number of elements in S(N). 



8. Basic Variants of the Basic Notion 

Independent of the underlying PKC, several variants of the notion of a Fair PKC are 
possible, each, of course, possessing its own advantages and disadvantages, either in 
efficiency or fairness. Here, let us briefly discuss two important variants and then just 
mention a few others. 

8.1 Relying on Fewer Shares 

The schemes developed so far are robust only in the sense that some trustees, accidentally 
or maliciously, may reveal the shares in their possession without compromising the 
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security of the system. However, our schemes so far rely on the fact that the trustees will 
collaborate during the recovering stage. In fact, we insisted that all of the shares should be 
needed for recovering a secret key. This may be disadvantageous, either because some 
trustees may after all be untrustworthy and refuse to give the Government the key in their 
possession, or because, despite all file back-ups, they may have genuinely lost the 
information in their possession. Whatever the reason, in this circumstance the 
reconstruction of a secret key will be prevented. Since VSS protocols exist (such as the 
GMW one) which tolerate any minorities of trustees to be bad, this problem can, in 
principle, be solved. However, the cost to be paid would be very very high, independently 
of whether or not the number of trustees is small. Thus, once again, one should resort to 
direct constructions. The ones discussed below have been selected because of their 
simplicity, their being quite practical whenever the number of trustees is small (in particualr 
they continue to be non-interactive), and their sufficient generality (though they will be 
illustrated only in the context of a single PKC). Slicker solutions can be obtained, but at the 
expense of greater complications. (One such method has been recently developed by 
Sidney based on a previous construction of Feldman [Fe87].) 

THE SUBSET METHOD. 

Each Fair PKC described so far is based on a (properly structured, non-interactive) VSS 
scheme with parameters n=5, T=5 and t=4. It may be preferable to have different values for 
our parameters; for instance, n=5, T=3, and t=2. That is, any majority of the trustees can 
recover a secret key, while no minority of trustees can predict it at all. This is achieved as 
follows (and it is easily generalized to any desired values of n.T and t in which T>t). We 
confine ourselves to exemplifying our method in conjunction with the Diffie-Hellman 
scheme. The same method essentially works for the RSA case as well. 

The Subset Method for the Diffie-Hellman scheme 



After choosing a secret key Sx in [l,p-l], user X computes his public key Px=g^ x mod p. 
(All computations from now on will be mod p.) User X now considers all triplets of 
numbers between 1 and 5: (1.2,3), (2,3,4), etc. 

For each triplet (a,b.c), he randomly chooses 3 integers Slabc S3abc in the interval 

f l,p-l ] so that their sum mod p equals Sx. Then he computes the 3 numbers 

tlabc=g S1 ^ c , t.2abc=g S2a bc, t3abc^ S S3abc 

The tiabc ' s will be referred to as public pieces of Px, and the Sxiabc ' s as private pieces. 
Again, the product of the public pieces equals the public key Px. In fact, 

tiabc ■ tlabc -t3abc = gSlabc. g S2abc . g S3abc= 
-glSlabc+ S2abc +S3al?c) - ^Sx = p x 

User X then gives trustee Ta tlabc and Slabc, trustee Tb tlabc and Slabc, and trustee Tc 
t3abc and S3abc, always specifying the triplet in question. 

Upon receiving these quantities, trustee Ta (all other trustees do something similar) verifies 
that tlabc=g^ a ^ c , signs the value {Px,tlabc.(d.,bx)} and gives the signature to the key 
management center. 

The key-management center, for each triple (a,b,c), retrieves the values tlabc t2abc and 
t3abc from the signed information received from trustees Ta, Tb and Tb. If the product of 
these three values equals Px and the signatures are valid, it approves Px as a public key. 
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The reason the scheme works, assuming that at most 2 trustees are bad, is that all secret 
pieces of a triple are needed for computing (or predicting) a secret key. Thus no secret key 
in the system can be retrieved by any 2 trustees. On the other hand, when after a court 
order, at least 3 trustees reveal all the secret pieces in their possession about a given public 
key, the Government has all the necessary secret pieces for at least one triple, and thus can 
compute easily the desired secret key. 

THE SHARE REPLICATION METHOD. 

In this solution, each of the S trustees is replaced by a group of new trustees. For instance, 
instead of a single trustee Ti, there may be 3 trustees, Ti 1 T2* T3I; each of these trustees 
will receive and check the same share of trustee Ti . Thus, it is going to be very unlikely 
that all 3 trustees will refuse to surrender their copy of the first share. This scheme is a bit 
"trustee-wasteful" since it requires 15 trustees while it is enough that an adversary corrupts 
5 of them to defeat the scheme. (However, one should appreciate that defeating the share- 
replication scheme is not as easy as corrupting any 5 trustees out of 15, since it must be 
true that a trustee is corrupted in each group.) The scheme has, nonetheless, two strong 
advantages: (1) Scalability: denoting by n the number of trustee groups, the computational 
effort of the scheme grows polynomially in n, no matter what the group size is, and thus - 
if desired— one can choose a large value for n; (2) Repetitiveness: if there are n trustee 
groups of size k each, one should only perform n "operations," in fact, each member of a 
trustee group gets a "xerox copy" of the same computation. 

In the final paper we shall demonstrate that both methods can be optimized, but here let us 
instead move on to consider a far more important problem than efficiency. 

8.2 Making Trustees Oblivious 

There is another point that requires attention. Namely, a trustee requested by a court order 
to surrender his share of a given secret key may alert the owner of that key that his 
communications are going to be monitored. This serious problem can be attacked by a 
general-purpose machinery, yielding a purely theoretical solution. But, here, let us outline a 
simple and practical one, available when the cryptosystem used by the trustees possesses a 
nice algebraic property (essentially, random self-reducibility as introduced by Blum and 
Micali [BIMi]). This practical strategy is exemplified below by making oblivious (and Fair) 
the Diffie-Hellman scheme for the "all-shares" case, but also works for the RSA scheme 
and for fewer shares. 

Oblivious and Fair Diffie-Hellman Scheme 
(All-Shares Case) 



The trustees' encryption algorithms 

Since RSA itself possesses a sufficient algebraic property, let us assume that all trustees 
use deterministic RSA for receiving private messages. Thus, let Ni be the public RSA 
modulus of trustee Ti and ei his encryption exponent (i.e., to send Ti a message m in 
encrypted form, one would send m ei mod Ni.) 

Instructions for user U 

User U prepares his public and secret key, respectively Px and Sx (thus Px - gS* m 0 d p), 
as well as his public and secret pieces of the secret key, respectively ti and Sxi's (thus Px= 
tl- 12- ... -t5 mod p and ti = gSxi mod p for all i). Then he gives to the key-management 
center Px, all of the u's and the n values Ui=(Sxi) 3 mod Ni; that is, he encrypts the i-th 
share with the public key of trustee Ti. 
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(Comment: Since the center does not know the factorization of the Ni's this is no useful 
information to predict Sx, nor can it verify that the decryption of the n cipheitexts are 
proper shares of Sx. For this, the center will seek the cooperation of the n trustees, but 
without informing them of the identity of the user.) 

Instructions for the center/trustees 

The center stores the values tj's and Uj's relative to user U and then forwards Ui and ti to 
trustee Ti. If every trustee Ti responds to have verified that the decryption of Ui is a proper 
private piece relative to ti, the center approves Px. 

Instructions in case of a court order 

To lawfully reconstruct secret key Sx without leaking to a trustee the identity of the 
suspected user U, a judge (or another authorized representative) randomly selects a number 
Ri mod Ni and computes yi = Ri el mod Ni. Then, he sends trustee Ti the value zi = Ui-yi 
mod Ni, asking with a court order to compute and send back wi, the e/-th root of zi mod 
Ni. Since zi is a random number mod Ni, no matter what the value of Ui is, trustee Ti 
cannot guess the identity of the user U in question. Moreover, since zi is the product of Ui 
and yi mod Ni, the ei-th root of zi is the product mod Ni of the ei-th root of Ui (i.e., Sxi) 
and the ei-th root of yi (i.e., Ri). Thus, upon receiving wi, the judge divides it by yi mod 
Ni, thereby computing the desired Sxi. The product of these Sxi's equals the desired Sx. 

8.3 Time-Bounded Court-Authorized Eavesdropping 



At present the Ciuzens have no guarantees that an illegal wiretapping will be initiated, or 
that a legitimate eavesdropping will be stopped at the prescribed date -indeed, courts 
usually authorize line-tapping for a bounded length of time only. 

Fair PKCs are preferable to the status quo : the users are guaranteed that no illegal 
wire-tapping will be initiated, because without the help of the trustees their cryptosystems 
are impenetrable. Fair PKCs. however, are just as "bad" as the current system with respect 
to the time-bound issue. In fact, once the private key of the user of a Fair PKC erroneously 
suspected of unlawful activities is reconstructed, thanks to the collaboration of the trustees 
in response to a legitimate court order, it would be very easy for the agent monitoring her 
conversations (say, the Police) to exceed its mandate and keep on tapping (or allow 
someone else to tap) her line for a longer period of tune. 

Because it is our goal to strike a better balance between the needs of the Government and 
those of the Citizens in a modem democracy, we have developed various strategies for 
improving on the status quo and removing this weakness altogether. 

8.3.1 Multiple Public-Keys 

A very simple way to ensure time-bounded court-authorized line tapping consists of having 
each user choose a sufficient amount of matching public and secret keys, say one per 
month. Each public key will then be publicized specifying the month to which it refers. 
Someone who wants to send userX a private message in March, will then encrypt it with 
X's public March key. If this level of granularity is acceptable, the court may then ask the 
trustees to reveal X's secret keys for a prescribed set of months. 

The disadvantage of this approach is that it requires a rather large "total public key," and it 
may be totally impractical if a fine granularity is desired. 
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8.3.2 Tamper-Proof Chips 

One simple method to ensure time-bounded court-authorized eavesdropping makes use of 
secure chips; these are special chips that cannot be "read" from the outside, and cannot be 
tampered with. Thus, in particular, upon receiving an input they produce a specific output, 
but effectively hide all intermediate results. (Such chips are central to the Clipper Chip 
proposal.) 

Time-bounded legal eavesdropping can be achieved by having the Police use secure chips 
possessing an internal and thus untamperable clock, the Polchips, in order to monitor the 
communications of a suspected user. Assume that a proper court order is issued to tap the 
line of userX from February to April. Then, each trustee will send the Poichip a digitally 
signed message consisting of his own share of user X's private key (encrypted so that only 
the Poichip will understand it). The Poichip can now easily compute X's secret key. Thus, 
if the Court sends to the Poichip a signed message consisting of, say, "decode, X, 
February-April" 1 , since the Poichip has an internal clock, it can easily decrypt all messages 
relative to X for the prescribed time period. Then, it will destroy X's secret key, and, in 
order to allow further line tapping, a new court order will be required. 

A main advantage of this approach is its simplicity; it does, however, require some 
additional amount of trust. In fact, the citizens cannot check, but must believe, that each 
Poichip is manufactured so as to work as specified above. 

8.3.3 Algorithmically-Chosen Session Keys 

In the multiple public-key method described above, each user selected and properly shared 
with the Trustees a number of secret keys of a PKC equal to the number of possible 
transmission "dates" (in the above example, each possible month). Within each specified 
date, the same public-secret key pair was used for directly encrypting and decrypting any 
message sent or received by any user. Time-bounded Fair PK.Cs, however, can be more 
efficiently achieved by using public keys only to encrypt session keys, and session keys to 
encrypt real messages (by means of a conventional single-key system). This is, in fact, the 
most common and efficient way to proceed. 

Session keys are usually unique to each pair of users and date of transmission. Indeed, if 
each minute or second is considered a different date, there may be a different session key 
for every transmission between two users. Abstractly, the date may just be any progressive 
number identifying the transmission, but not necessarily related to physical rime. 

To achieve time-bounded court-authorized line tapping, we suggest to choose session keys 
algorithinically (so that the Trustees can compute each desired session key from 
information received when users enter the system), but unpredictably (so that, though some 
session keys may become known --e.g., because of a given court order-- the other session 
keys remain unknown). 

The particular mechanics to exploit this approach is, however, important, because not all 
schemes based on algorithmically selected session keys yield equally convenient time- 
bounded Fair PKCs. 2 



1 Alternatively, the time interval can be specified in the message of the trustees, since they 
learned it from the Court anyway. 

2 For instance, a time-bounded FAIR PKC that required the Police to contact the Trustees 
specifying the triplet (X,Y,D) in order to understand X's communication to Y at time D 
(belonging to the court-authorized time interval), might be deemed inpractical. A better scheme 
may allow the Police to contact the Trustees only once, specifying only X, Y, and Dl and D2, 
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An effective method is described below, basic properties first and technical details later. 
The high-level mechanics of our Suggestion 

In presence of a court order to tap X's lines beween dates Dl and D2, no matter how many 
dates there may be between Dl and D2, our method allows the Trustees to easily compute 
and give the Police a small amount of information, i=i(X.D 1,D2), that makes it easy to tap 
X's lines in the specified time interval. The method consists of using a Fair PKC F 
together with a special additional step for selecting session keys for a conventional single- 
key cryptosystem C. In our suggested method, call it the (F,C) method, for any users X and 
Y, and any date D, there is a session key SXDY for enabling X to send a private message 
to Y at time D. Each user X is asked to provide the trustees not only with proper shares of 
his secret key in F, but also with additional pieces of information that enable them, should 
they receive a legitimate court order for tapping X between dates Dl and D2. to compute 
easily i(X,Dl,D2) and hand it to the Police. 

While the trustees can verify that they possess correct shares of X's secret key in F, we do 
not insist that the same holds for X's session keys. This decreased amount of verifiability 
is not crucial in this context for the following reasons. Assume in fact that the Police, after 
receiving i(X,Dl,D2) from the Trustees in response to a legitimate court order, is unable to 
reconstruct a session key of X during the given time interval. This inability proves that X 
did not originally give the Trustees the proper additional pieces of information about his 
session keys. If so, the protocol will then ask the cooperation of the Trustees so as to 
reconstruct X's secret key in F (which is guaranteed possible since the trustees could 
verified to have legitimate shares of that key). Consequently, from that point on. all 
messages sent to X will cease to be private. Moreover, the adoption of a proper "hand- 
shaking protocol" will ensure the Police to understand all messages sent by X to any user 
who replies to him in the (F.C) system.'- 

In sum, therefore, malicious users who want to hide their conversations from law- 
enforcement agents even in presence of a court order, cannot do so by taking advantage of 



in order to understand all the communications between X and Y at any date D in the time 
interval (D1.D2). Since, however, there may be quite many users Y to which the suspected 
user X talks to, also this scheme may be considered impractical. 

1 Of course, one may object that nothing is guaranteed about conversations between two users 
that are both malicious, since they may be using their own, altogether-different 
cryptosystems. Once more, however, we should remember that this is impossible to prevent, 
unless use of non-government-approved cryptosystems is made illegal. It is instead 
important to realize that, though all good citizens can enjoy a nation-wide PKC, the 
Government is at least guaranteed to have done NOTHING to facilitate private communications 
between malicious users. In fact, they cannot use F to exchange session keys for the 
recommended conventional cryptosystem C, since after reconstructing the relevant secret keys 
of F the Government could reconstruct such session keys and understand what any two 
malicious users would be saying to each other via C. Nor can all malicious users use F for 
exchanging secret keys relative to a special conventional cryptosystem C that is known to 
criminals but unknown to the Government. In fact, any conventional cryptosystem that is used 
by a sufficiently large group of people will eventually become known to the Government. On 
the other hand, if each pair of malicious users X and Y were to use a dedicated conventional 
cryptosystem Cxy to talk to each other, they would have no convenience to gain from using 
the society-provided public-key cryptosystem F! In fact, if they could establish beforehand 
(i.e., without using F) a common and secret cryptosystem Cxy, they might as well exchange 
(without using F) a common secret key Kxy to be to used with any conventional 
cryptosystem. 
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the convenience of a nation-wide (F,C) system. They must go back to the cumbersome 
practice of exchanging common secret keys before hand, outside any major communication 
network. It is my firm opinion that the amount of illegal business privately conducted in 
this cumbersome way should be estimated minuscule with the respect to the one that might 
be conducted via a nation-wide ordinaiy PKC. 

The Specifics Of Our Suggestion 

The hand-shaking protocol of our suggested (F,C) cryptosystem is the following. When X 
wants to initiate a secret conversation with Y at date D, she computes a secret session key 

SXDY and sends it to Y using the Fair PKC F (i.e., encrypts it with Y's public key in F). 
User Y then computes his secret session key SYDX and sends it to X after encrypting it 
with the received secret key SXDY (by means of the agreed-upon conventional 
cryptosystem C). User X then sends SYDX to Y by encrypting it with SXDY. 
Throughout the session, X sends messages to Y conventionally encrypted with SXDY, and 

Y sends messages to X via SYDX. (If anyone spots that the other disobeys the protocol the 
communication is automatically terminated, and an alarm signal may be generated.) Thus in 
our example, though X and Y will understand each other perfectly, they will not be using a 
common, conventional key. Notice that, if the Police knows SXDY (respectively, SYDX), 
it will also know SYDX (respectively, SXDY). 

Assume now that the Court authorizes tapping the lines of user X from date Dl to date D2, 
and that a conversation occurs at a time D in the time interval [D1.D2J between X and Y. 
The idea is to make SXDY available to the Police in a convenient manner, because 
knowledge of this quantity will enable the Police to understand X's out-going and in- 
coming messages, if the hand-shaking has been performed, independently of whether X or 

Y initiated the call. To make SXDY conveniendy available to the Police, we make sure that 
it is easily computable on input SXD, a master secret key that X uses for computing his 
own session key at date D with every other user. For instance, SXDY = H(SXD.Y), where 
H is a one-way (possibly hashing) function. 

Since there may be many dates D in the desired interval, however, we make sure that SXD 
is easily computable from a short string, i(X,Dl.D2), immediately computable by the 
Police from the information it receives from the Trustees when they are presented with the 
court order "tap X from Dl to D2." For instance, in a 3-out-of-3 case, if we denote by 
ij(X,Dl,D2) the information received by the Police from Trustee j in response to the court 
order, we may set 

i(X,Dl.D2)= H( i ( (X,Dl.D2). i 2 (X.Dl.D2). i 3 (X,Dl,D2)), 

where H is a one-way (preferably hashing) function. Now, we must specify one last thing: 
what should ij(X,Dl,D2) consist of? Letting Xjbe the value originally given to Trustee j by 
userX when she entered the system (i.e., X gives Xj to Trustee j together with the j-th 
piece of her own secret key in the FAIR PKC F), we wish that i;(X,Dl,D2) easily depend 
on Xj. Let us thus describe effective choices for Xj, ij(X,Dl.D2], and SXD. Assume that 
there are 2 d possible dates. Imagine a binary tree with 2 d leaves, whose nodes have n-bit 
identifiers -where n=0,...,d. Quantity ij(X.Dl,D2)rs computed from Xj by storing a value 
at each of the nodes of our tree. The value stored at the root, node Ne (where e is the 
empty word), is Xj. Then a secure function G is evaluated on input Xj so as to yield two 
values, XjO and Xjl. The effect of G is that the value Xj is unpredictable given XjO and 
Xjl. (For instance. Xj is a random k-bit value and G is a secure pseudo-random number 
generator that, using Xj as a seed, outputs 2k bits: the first k will constitute value XjO, the 
second k value Xjl.) value XjO is then stored in the left child of the root (i.e., it is stored in 
node NO) and value Xjl is stored in the right child of the root (node Nl). The values of 
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below nodes in the tree are computed using G and the value stored in their ancestor in a 
similar way. Let SXjD be the value stored in leaf D (where D is a n-bit date) and 
SXD=H(SXiD,SX2D,SX3D). If Dl < D2 are n-bit dates, say that a node N controls the 
interval [D1,D2] if every leaf in the tree that is a descendent of N belongs to [D1,D2], 
while no proper ancestor of N has this property. Then, if ij(X,Dl,D2) consists of the 
(ordered) sequence of values stored in the nodes that control [Dl ,D2], then 

I. ij(X,Dl,D2) is quite short (with respect to the interval [DLD2]). and 

II. For each date D in the interval [D1.D2], the value SXjD stored in leaf D is easily 
computable from ij(X,Dl,D2), and 

III. The value stored at any leaf not belonging to [D1.D2] is not easily predictable from 
ij(X,Dl,D2). 

Thus if each user X chooses her X; values (sufficiently) randomly and (sufficiently) 
independently, the scheme has all the desired properties. In particular, 

1 . user X computes SXD very efficiently for every value of D. 

2 . When presented with a court order to tap the line of user X between dates D 1 and 
D2, each Trustee j quickly computes ij(X,D 1 ,D2). (In fact, he does not need to 
compute all values in the 2 n -node tree, but only those of the nodes that control 
[D1,D2].) 

3. Having received ij(X,Dl,D2) from every trustee j, the Police can, very quickly and 
without further interaction with the Trustees, compute 

(3.1) SXjD from ij(X,Dl,D2) for every date D in the specified interval (in fact, its 
job is even easier since the SXiD's are computed in order and intermediate results 
can be stored) 

(3.2) the master secret-session key SXD from the SXjD's, and 

(3.3) the session key SXDY from SXD from any user Y talking to X in the 
specified time interval. 

Note, however, that no message sent or received before or after the time-interval specified 
by the court order will be intelligible to the Police (unless a new proper court order is 
issued). 



9. Fair PKCs vs. the Clipper Chip 
9.1 A Quick Review of the Clipper Chip 

Also the Clipper Chip proposal is based on the notion of a set of trustees, but it is primarily 
aimed at conventional cryptosystems. Under the new proposal, users encrypt messages by 
means of secure chips (as defined in subsection 8.2). All these chips contain in their 
protected memory a common classified encryption algorithm E and possess a unique 
identifier. To "initialize" chip x, two Trustees A and B independently choose a secret 
number (call ax the secret choice of Trustee A and bx that of Trustee B), and remember 
which secret choice they have made relative to x. These two numbers are then given 
(somehow) to a chip factory that computes their exclusive-or, cx, and stores it into the 
protected memory of the chip. This ends the initialization of chip x. Thus after being 
initialized, each clipper chip possesses a secret key, whose value is at this point only 
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known to the chip itself, though shares of it are stored with the two trustees. Since the chip 
is assumed to be tamper-proof, it can be handled and sold without any further precautions 
after being initialized. Assume now that user X has bought chip x, that user Y has bought 
an analogous chip y, and that the two users have somehow exchanged a common secret 
key Kxy. To privately send a message m to Y, X inputs m to chip x, which will then use 
'the classified algorithm to (1) encrypt Kxy with key ex. and (2) encrypt message m with 
key Kxy, and then send both ciphertexts to Y. Y ignores the first ciphertext, but decodes 
the second one with the same key Kxy so as to obtain m. In case of a court order for 
monitoring X's conversations, the two trustees will retrieve their respective secret numbers 
ax and bx, and reveal them to the Police, which will then xor them so as to compute cx, 
decode the first ciphertext with cx so as to compute Kxy, and finally decode the second 
ciphertext with Kxy so as to compute m. 

9.2 A Potential Weakness of the Clipper Chip 

Before making any comparison with Fair PKCs, it should be noted that, in absence of a 
properly specified protocol, the step of having the trustees send their secret shares of the 
(future) secret key cx to the factory is a dangerous one. In fact, this step introduces a 
special party, the factory, that "single-handedly knows" the chip's secret (thus nullifying 
the very notion of a set of trustees), and is therefore single-handedly capable of tapping 
X's conversations independently of any court order. Worse, while we can hope that 
trustees will be chosen so as to be considered trustworthy by most people, the same trust 
will not presumably be enjoyed by a "factory party." 

Though more inconvenient, it would thus be preferable to have trustee A itself first insert 
secret ax in the protected memory of chip x, and then ship chip x to trustee B so that it can 
directly insert its own secret bx, and then have the chip itself compute cx. 

9.3 Comparison with Fair PKCs. 

Though they share a common approach, we believe Fair PKCs to be superior to the Clipper 
Chip proposal in a variety of ways; in particular, 

1 . Software versus Hardware 

While Fair PKCs can be implemented in hardware or software, the Clipper Chip 
requires the use of secure hardware, and thus will drive up the cost of any devise 
using encryption. 1 

2. Citizen Control 

While in the Clipper Chip the user does not choose all keys on which her privacy 
depends, in a Fair PKC the user chooses all of her keys (and algorithms for that 
matter). 



3 It should be noted that even though in the particular implementation of time-bounded Fair 
PKCs of subsection 8.2 we recommend the use of secure hardware, this hardware is used 
by the legitimate monitoring agent, and thus it does not constitute a direct cost of the users. 
Moreover there will be much less monitoring agents than users. 
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On the other hand, the Government has at least as much control as in the Clipper 
Chip proposal. In either case, in fact, the Trustees have pieces that are guaranteed to 
be right. 

3 . Flexibility 

Since in a Fair PKC the user chooses and knows all of her keys, it is easy to have 
the system satisfy convenient additional properties; for instance, relying on fewer 
shares (in the sense of section 8.1) could be a feature of crucial importance for the 
Government. As for another example, users may find it advantageous to use the 
same keys in different contexts (e.g., for their phones at work or at home) even if 
each of these different contexts has a different set of Trustees. This is not a problem 
for Fair PKCs; in fact, users, knowing all of their secret keys, can break them into 
a different set of proper shares, and give different set of shares to different sets of 
trustees, each time easily proving that they hold legitimate shares. (It should be 
noticed that, unless an enemy has all the shares of one set of trustees, having some 
of the shares of both sets is useless.). 

4. Public- Key 

If the Clipper Chip proposal wants to control crime in an effective manner, it should 
properly address the public-key scenario. In fact, once a nation-wide public-key 
distribution center is created 1 -with or without the help of the Government— it will 
be easier for criminals to bypass the protection of the Clipper Chip. In fact, having 
one's encryption key properly publicized (e.g., by a nation-wide 411 -like 
mechanism) may be more crucial and difficult a goal to achieve than entering in 
possession of a conventional cryptosystem chip. If not specifically forbidden, there 
will certainly be widely available "alternative" conventional-cryptosystem chips for 
use in conjunction with the publicly-available PKC. It is thus crucial for law- 
enforcement, in my opinion, to make sure that any public encryption key of a 
national PKC cannot be used to encrypt messages in a way that avoids court- 
authorized line tapping. This is the best way to extend to the field of encryption the 
proper system of "checks-and-balances" necessary in a democracy. 

10. Final Thoughts 

Fair PKCs are a new technical tool possessing the potential to improve on the status quo. 
Society must though decide which is the best way to use such a tool. Who should the 
Trustees be? How many should they be? For how long should line-tapping be authorized? 
We believe that answering questions like these requires a debate as public and wide as 
possible. 
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4 A not unlikely event since it provides the most convenient way to achieve private 
communication. 
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Abstract. We present a computational technique for combatting junk 
mail in particular and controlling access to a shared resource in general. 
The main idea is to require a user to compute a moderately hard, but 
not intractable, function in order to gain access to the resource, thus pre- 
venting frivolous use. To this end we suggest several pricing Junctions, 
based on, respectively, extracting square roots modulo a prime, the Fiat- 
Shamir signature scheme, and the Ong-Schnorr-Shamir (cracked) signa- 
ture scheme. 

1 Introduction 

Recently, one of us returned from a brief vacation, only to find 241 messages in 
our reader. While junk mail has long been a nuisance in hard (snail) mail, we 
believe that electronic junk mail presents a much greater problem. In particular, 
the ease and low cost of sending electronic mail, and in particular the simplicity of 
sending the same message to many parties, all but invite abuse. In this paper we 
suggest a computational approach to combatting the proliferation of electronic 
mail. 1 More generally, we have designed an access control mechanism that can be 
used whenever it is desirable to restrain, but not prohibit, access to a resource. 

Two general approaches have been used for limiting access to a resource: 
legislation and usage fees. For example, it has been suggested that sending an 
unsolicited FAX message should be a misdemeanor. This approach encounters 
obvious definitional problems. Usage fees may be a deterrent; however, we do 
not want a system in which to send a letter or note between friends should have 
a cost similar to that of a postage stamp; similarly we do not wish to charge 
a high fee to transmit long files between collaborators. Such an approach could 
lead to underutilization of the electronic medium. 

Since we believe the real cost of using the medium will not serve as a de- 
terrent to junk mail, we propose a system that imposes another type of cost 
on transmissions. These costs will deter junk mail but will not interfere with 
other uses of the system. The main idea is for the mail system to require the 

1 A simple solution, due to Blum and Micali [1], is simply not to read one's mail. We 
have another solution. 
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sender to compute some moderately expensive, but not intractable, function of 
the message and some additional information. Such a function is called a pricing 
function. 

In the more general setting, in which we have an arbitrary resource and 
a resource manager, a user desiring access to the resource would compute a 
moderately hard function of the request id. (The request id could be composed 
of the user's identifier together with, say the date and time of the request.) 

The pricing function may be chosen to have something like a trap door: 
given some additional information the computation would be considerably less 
expensive. We call this a shortcut. The shortcut may be used by the resource 
manager to allocate cheap access to the resource, as the manager sees fit, by 
bypassing the control mechanism. For example, in the case of electronic mail the 
shortcut permits the post office to grant bulk mailings at a price chosen by the 
post office, circumventing the cost of directly evaluating the pricing function for 
each recipient. 

We believe our approach to be of practical interest. It also raises the point 
that, unlike the situation with one-way functions, there is virtually no complexity 
theory of moderately hard functions, and therefore yields excellent motivation 
for the development of such a theory. 

The rest of this paper is organized as follows. Section 2 contains a description 
of the properties we require of pricing functions. Section 3 focusses on combatting 
junk mail. Section 4 describes three possible candidates for pricing functions. We 
require a family of hash functions satisfying certain properties. Potentially suit- 
able hash functions are discussed in more detail in Section 5. Section 6 contains 
conclusions and open problems. 

2 Definitions and Properties 

We must distinguish between several grades of difficulty of computation. Rather 
than describe the hardness of computing a function in terms of asymptotic 
growth, or in terms of times on a particular machine, we focus on the relative 
difficulty of certain computational tasks. 

We require three classes of difficulty: easy, moderate, and hard. The term 
moderate can be viewed in two different ways. As an upper bound, it means that 
computation should be at most moderately hard (as opposed to hard); as a lower 
bound it means that computation should be at least moderately easy (as opposed 
to easy). The precise definition of easy and moderate and hard will depend on the 
particular implementation. However, there must be some significant gap between 
easy and moderately easy. As usual, hard means intractable in reasonable time, 
such as factoring a 1024-bit product of two large primes. 

The functions we consider for implementing our scheme have a difference 
parameter that serves a role analogous to that of a security parameter in a 
cryptosystem. A larger difference parameter stretches the difference between 
easy and moderate. Thus, if it is desired that, on a given machine, checking that 
a function has been correctly evaluated should require only, say, .01 seconds of 



141 



CPU time, while evaluating the function directly, without access to the shortcut 
information, should require 10 seconds, the difference parameter can be chosen 
appropriately. 

A function / is a pricing function if 

1. / is moderately easy to compute; 

2. / is not amenable to amortization: given t values mi,... mi, computing 
/(mi), . . . , f{mt) has amortized cost comparable to computing /(m-i) for 
any 1 < i < I; 

3. given x and y it is easy to determine if y = f{x). 

We use the term "function" loosely: sometimes / will be a relation. 

F = is a family of pricing functions indexed by s € S C {0,1}*, such 
that S is not hard to sample. 

T — {Fk} is a collection of families of pricing functions indexed by a difference 
parameter k. 

It is important not to choose a function that after some preprocessing can be 
computed very efficiently. Consider the following family of pricing functions F, 
based on subset sum. The index s is a set of I numbers ai, a-i, ... at, 1 < a.i < 2 l , 
such that 2 l is moderately large. For a given request x, /»(x) is a subset of 
ai, a-i, . . . at that sums to x. Computing f 3 seems to require time proportional to 
2*. As was shown by Schroepel and Shamir [17], after preprocessing, using only a 
moderate amount of storage, such problems can be solved much more efficiently. 
Thus, there could be large difference between the time spent evaluating f s on 
a large number k of different inputs, such as would be necessary for sending 
bulk mail, and k individual computations of f s from scratch. This is clearly 
undesirable. 

We now introduce the notion of a shortcut, similar in spirit to a trapdoor. 
A pricing function with a shortcut is easy to evaluate given the shortcut. In 
particular, the shortcut is used for bypassing the access control mechanism, at 
the discretion of the resource manager. 

A collection of families of pricing functions is said to have the shortcut prop- 
erty if 

1. there exists a polynomial time algorithm A that generates a pair s,c; 

2. f s is a function in T; 

3. c is a shortcut: computing /, is easy given c. 

Note that since /, is a pricing function, it is not amenable to amortization. Thus, 
given s, finding c or an equivalent shortcut, should be hard. 

Remark. The consequences of a "broken" function are not severe. For example, if 
a cheating sender actually sends few messages, then little harm is done; if it sends 
many messages then the cheating will be suspected, if not actually detected, and 
the pricing function or its key can be changed. 

In the context of junk mail we use hash functions so that we never apply the 
pricing function to a message, which may be long, but only to its hash value. 
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Ideally, the hash function should be very easy to compute. However, given m, 
h, and m', it should not be easy to find m" closely related to to' such that 
h(m") = h(m). For example, if Macy's sends an announcement to of a sale, and 
later wishes to send an announcement to' of another sale, it should not be easy 
to find a suffix z such that h(m' ■ z) = h(m). 

Suitable hash functions could be based on DES, subset sum, MD4, and Sne- 
fru. We briefly discuss each of these in Section 5. 

3 Junk Mail 

The primary motivation for our work is combatting electronic junk mail. We 
envision an environment in which people have computers that are connected to 
a communication network. The computers may be used for various anticipated 
activities, such as, for example, updating one's personal database (learning that 
a check has cleared), subscribing to a news service, and so on. This communica- 
tion requires no human participation. This is different from the situation when 
one receives a personal letter, or an advertisement, which clearly require one's 
attention. Our interest is in controlling mail of this second kind. 

The system requires a single pricing function / s , with shortcut c. and a hash 
function h. There is a pricing authority who controls the selection of the pricing 
function and the setting of usage fees. All users agree to obey the authority. There 
can be any number of trusted agents that receive the shortcut information from 
the pricing authority. The functions h and f, are known to all users, but only 
the pricing authority and its trusted agents know c. 

To send a message m at time t to destination d, the sender computes y = 
f s {h{m ■ t ■ d)) and sends y,m.t, dio d. The recipient's mail program verifies that 
y = f 3 (h(m ■ t ■ d)). If the verification fails, or if t is significantly different from 
the current time, then the message is discarded and (optionally) the sender is 
notified that transmission failed. If the verification succeeds and the message is 
timely, then the message is routed to the reader. 

Suppose the pricing function / has no short-cut. In this case, if one wants to 
write a personal letter, the computation of f, may take time proportional to the 
time taken to compose the letter. For typical private use that may be acceptable. 
In contrast, the computational cost of a bulk mailing, even a "desirable" (not 
junk) mailing, would be prohibitive, defeating the whole point of high bandwidth 
communication. 

In our approach bulk mail, such as notification of acceptance or rejection 
from a conference, is sent using the shortcut c, which necessarily requires the 
participation of the system manager. The sender pays a fee and prepares a set 
of letters, and one of the trusted agents evaluates the pricing function as needed 
for all the letters, using the shortcut. Since the fee is chosen to deter junk mail, 
and not to cover the actual costs of the mailing, it can simply be turned over to 
the recipients of the message. 2 



3 Another possible scenario would be that in order to send a user a letter, some compu- 
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Finally, each user can have a frequent correspondent list of senders from whom 
messages are accepted without verification. Thus, friends and relatives could 
circumvent the system entirely. Moreover, one could join a mailing list by adding 
the name of the distributor to one's list of frequent correspondents. 3 The list, 
which is maintained locally by the recipient, can be changed as needed. Thus, 
when submitting a paper to a conference, an author can add the name of the 
conference to the list of frequent corresponders. In this way the conference is 
spared the fees of bulk mailing. 

4 Pricing Functions 

In this section we list three candidate families of pricing functions. The first one 
is the simplest, but has no shortcut. 

4.1 Extracting Square Roots 

The simplest implementation of our idea is to base the difficulty of sending on 
the difficulty (but not infeasibility) of extracting square roots modulo a prime p. 
Again, there is no known shortcut for this function. 

- Index: A prime p of length depending on the difference parameter; a rea- 
sonable length would be 1024 bits. 

- Definition of f p : The domain of f p is Z p . f p (x) — sfx mod p. 

- Verification: Given x, y, check that y 2 = x mod p. 

The checking step requires only one multiplication. In contrast, no method 
of extracting square roots modp is known that requires fewer than about logp 
multiplications. Thus, the larger we take the length of p, the larger the difference 
between the time needed to evaluate f p and the time needed for verification. 

4.2 A Fiat-Shamir Based Scheme 

This implementation is based on the signature scheme of Fiat and Shamir [6] . 

- Index: Let N = pq, where p and q are primes of sufficient length to make 
factoring N infeasible (currently 512 bits suffice). Let j/i = x\, . . . , yk — x\ be 
k squares modulo N, where k depends on the difference parameter. Finally, 
let h be a hash function whose domain is Z* N x Z* N , and whose range is {0, l} k . 
h can be obtained from any of the hash functions described in Section 5 by 
taking the k least significant bits of the output. The index s is the (fc + 2)- 
tuple (Af,j/i,...,]/jt,/i). 

- Shortcut: The square roots xi, . . . , Xk- 

tation that is useful to the recipient must be done. We currently have no candidates 
for such useful computation. 
3 Similarly, one could have a list of senders to whom access is categorically denied. 
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- Definition of The domain of /, is Z^. Below, we describe a moderately 
easy algorithm for finding z and r 2 satisfying the following conditions. Let 
us write h(x, r 2 ) = b\ . . . b^, where each hi is a single bit. Then z and r 2 must 
satisfy 

k 

z 2 = r 2 x 2 yibi mod TV. 

i=l 

f a {x) = (z, r 2 ) (note that f„ is a relation). 

- Verification: Given x, z, r 2 , compute b\ . . . b k — /i(x, r 2 ) and check that 

z 2 — r 2 x 2 Y[ Vibi mod N. 

- To Evaluate f s with Shortcut Information: Choose an r at random, 
compute h(x, r 2 ) = b x . . . 6 ftl and set z — rx \[x % bi. f s (x) = (^,r 2 ). 

/ 9 (x) = (z,t 2 ) can be computed as follows. 

Guess bi...b k e {0, 

Compute B = JJ* =) mod TV. 

Repeat: 

Choose random z £ Z* N 

Define r 2 to be r 2 = {z 2 jBx 2 ) mod N 
Until /i(x, r 2 ) = ^ ...6 k . 

The expected number of iterations is 2 k , which, based on the intuition driv- 
ing the Fiat-Shamir signature scheme, seems to be the best one can hope for. In 
particular, if h is random, then one can do no better. In particular, retrieving 
the shortcut xt, ■ ■ • , x^ is as hard as factoring [15]. In contrast, the verification 
procedure involves about 2k multiplications and one evaluation of the hash func- 
tion. Similarly, given the shortcut the function can be evaluated using about k 
multiplications and one evaluation of the hash function. Thus, k is the difference 
parameter. A reasonable choice is k — 10. 

4.3 An Ong-Schnorr-Shamir Based Scheme or Recycling Broken 
Signature Schemes 

A source of suggestions for pricing functions with short cuts is signature schemes 
that have been broken. The "right" type of breaking applicable for our purposes 
is one that does not retrieve the private signature key (analogous to factoring N 
in the previous subsection), but nevertheless allows forging signatures by some 
moderately easy algorithm. 

In this section we describe an implementation based on the proposed signa- 
ture scheme of Ong, Schnorr and Shamir and the Pollard algorithm for breaking 
it. In [12, 13] Ong, Schnorr, and Shamir suggested a very efficient signature 
scheme based on quadratic equations modulo a composite: the public key is a 
modulus N (whose factorization remains secret) and an element k € Z* N . The 
private key is u such that u 2 = —A; -1 mod N, (i.e a square root of the inverse of 
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—k modulo N). A signature for a message m (which we assume is in the range 
0 . . . N — 1) is a solution (xi, a; 2 ) of the equation x\ + k ■ x\ = m mod N. There 
is an efficient signing algorithm, requiring knowledge of the private key: 

- choose random T\ , r 2 6 Z* such that T\ ■ r<z — m mod ./V 

- set X\ = \ • + ri) mod N and x% = \ ■ u - (ri - r 2 ) mod N. 

Note that verifying a signature is extremely easy, requiring only 3 modular mul- 
tiplication. 

Pollard (reported in [14]) suggested a method of solving the equation with- 
out prior knowledge of the private key (finding the private key itself is hard - 
equivalent to factoring [15]). The method requires roughly logiV iterations, and 
thus can be considered moderately hard, as compared with the verification and 
signing algorithms, which require only a constant number of multiplications and 
inversions. For excellent descriptions of Pollard's method and related work see 
[4, 9]. 

We now describe how to use the Ong-Schnorr-Shamir signature scheme as a 
pricing function. 

- Index: Let N = pq where p and q are primes let k € Z*. Then a = {N, k). 

- Shortcut: u such that it 2 = k~ x mod N 

- Definition of The domain of /, is Z* N . Then f s (x) = (11,22). where 
arf + kx\ = 1 mod N. f s is computed using Pollard's algorithm, as described 
above. 

- Verification: Given 11,12,1, verify that + kx%. 

- To Evaluate /, with Shortcut Information: Use the Ong-Schnorr- 
Shamir algorithm for signing. 

5 Hash Functions 

Recall that we need hash functions for two purposes. First, in the context of junk 
mail, we hash messages down to some reasonable length, say 512 bits, and apply 
the pricing function to the hashed value of the message. In addition, we need 
hashing in the pricing function based on the signature scheme of Fiat-Shamir. 

We briefly discuss four candidate hash functions. Each of these can be com- 
puted very quickly. 

- DES: Several methods have been suggested for creating a one-way hash 
function based on DES {e.g. [10] and the references contained therein). Since 
DES is implemented in VLSI, and such a chip might become widely used 
for other purposes, this approach would be very efficient. Note that various 
attacks based on the "birthday paradox" [5] are not really relevant to our 
application since the effort needed to carry out such attacks is moderately 
hard. 

- MD4: MD4 is a candidate one-way hash function proposed by Rivest [16]. 
It was designed explicitly to have high speed in software. The length of the 
output is either 128 or 256 bits. Although a simplified version of MD4 has 
been successfully attacked [3], we know of no attack on the full MD4. 
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- Subset Sum: Impagliazzo and Naor [8j have proposed using "high density" 
subset sum problems as one-way hash functions. They showed that finding 
colliding pairs is as hard as solving the subset sum problem for this density. 
Although this approach is probably less efficient than the others mentioned 
here, the function enjoys many useful statistical properties (viz. [8]). More- 
over, it is parameterized and therefore flexible. 

— Snefru: Snefru was proposed by Merkle [11] as a one-way hash function 
suitable for software, and was broken by Biham and Shamir [2]. However, 
the Biham and Shamir attack still requires about 2 24 operations to find a 
partner of a given message. Thus, it may still be viable for our purposes. 

6 Discussion and Open Problems 

Of the three pricing functions described in Section 4, the Fiat-Shamir is the most 
flexible and enjoys the greatest difference function: changing k by 1 doubles the 
difference. The disadvantage is that this function, like the Fiat-Shamir scheme, 
requires the "extra" hash function. 

As mentioned in the Introduction, there is no theory of moderately hard 
functions. The most obvious theoretical open question is to develop such a theory, 
analogous, perhaps, to the theory of one-way functions. Another area of research 
is to find additional candidates for pricing functions. Fortunately, a trial and 
error approach here is not so risky as in cryptography, since as discussed earlier, 
the consequences of a "broken" pricing function are not severe. If someone tries to 
make money from having found cheaper ways of evaluating the pricing function, 
then he or she underprices the pricing authority. Either few people will know 
about this, in which case the damage is slight, or it will become public. 

Finally, the evaluation of the pricing function serves no useful purpose, except 
serving as a deterrent. It would be exciting to come up with a scheme in which 
evaluating the pricing function serves some additional purpose. 
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Abstract. We derive new limitations on the information rate and the 
average information rate of secret sharing schemes for access structure 
represented by graphs. We give the first proof of the existence uf access 
structures with optimal information rate and optimal average informa- 
tion rate less that 1/2 + f, where c is an arbitrary positive constant. We 
also provide several general lower bounds on information rate and aver- 
age information rate of graphs. In particular, we show that any graph 
with n vertices admits a secret sharing scheme with infounation rate 
fl((logn)/n). 



1 Introduction 

A secret sharing scheme is a technique to distribute a secret S among a set of 
participants P in such a way that only qualified subsets of P can reconstruct 
the value of S whereas any other subset of P, non-qualified to know 5", cannot 
determine anything about the value of the secret. We briefly recall the results on 
secret sharing schemes that are more closely related to the topics of this paper. 

Shamir [19] and Blackley [2] were the first to consider the problem of secret 
sharing and gave secret sharing schemes where each subset A of P of size |j4| > k 
can reconstruct the secret, and any subset A of participants of size |j4| < k have 
absolutely no information on the secret. These schemes are known as (n, k) 
threshold schemes] the value k is the threshold of the scheme and n is the size 
of P. 

Ito, Saito and Nishizeki [15] considered a more general framework and showed 
how to realize a secret sharing scheme for any access structure. An access struc- 
ture is a family of all subsets of P which are qualified to recover the secret. 
Their technique requires that the size of set where the shares ate taken be very 
large compared to the size of the set where the secret is chosen. Benaloh and Le- 
ichter [1] proposed a technique to realize a secret sharing scheme for any access 
structure more efficient than Ito, Saito and Nishizeki's methodology. It should 
be pointed out that threshold schemes are insufficient to realize a secret sharing 

* Partially supported by Italian Ministry of University and Research (M.U.R.S.T.) 
and by National Council for Research (C.N.R.) under grant 91. 02326. CT12. 

^ ♦ , „ CRYPTO '92, LNCS 740, pp. 148-167, 1993. 
E.F. Bnckell (Ed.)-. Advances m Cryptology - CRYP lO 
© Springer-Verlag Berlm Heidelberg 1993 



149 



scheme for general access structures A [I]. Moreover, Benaloh and Leichter also 
showed that there exist access structures for which any secret sharing scheme 
must give to some participant a share which is from a domain strictly larger 
than that of the secret. 

Brickell and Davenport [5] analyzed ideal secret sharing schemes in terms of 
matroids. An ideal secret sharing scheme is a scheme for which the the shares are 
taken has the same size of the set where the secret is chosen. In particular, they 
proved that an ideal secret sharing scheme exists for a graph G, if and only if G 
is a complete multipartite graph. Equivalently, if we define the information rate 
as the ratio between the size of the secret and that of the biggest share given 
to any participant, Brickell and Davenport's result can be stated saying that a 
graph has information rate 1 if and only if it is a complete multipartite graph. 
Brickell and Stinson [6] gave several upper and lower bounds on the information 
rate of access structures based on graphs. 

Capocelli, De Santis, Gargano, and Vaccaro [7] gave the first example of 
access structures with information rate bounded away from 1. 

Blundo, De Santis, Stinson, and Vaccaro [4] analyzed the information rate 
and the average information rate of secret sharing schemes based on graphs. The 
average information rate is the ratio between the secret size and the arithmetic 
mean of the size of the shares for such schemes. They proved the existence of 
a gap in the values of information rates of graphs, more precisely they proved 
that if a graph G with n vertices is not a complete multipartite graph then 
any secret sharing scheme for it has information rate not greater than 2/3 and 
average information rate not greater than n/(n + l). These upper bounds arise by 
applying entropy argument due to Capocelli, De Santis, Gargano, and Vaccaro 
[7]- 

The recent survey by Stinson [21] contains an unified description of recent 
results in the area of secret sharing schemes. For different approaches to the 
study of secret sharing schemes, for schemes with "extended capabilities" as dis- 
enrollment, fault-tolerance, and pre-positioning and for a complete bibliography 
we recommend the survey article by Simmons [20]. 

In this paper we derive new limitations on the information rate and the 
average information rate for access structures represented by graphs. In the 
first part we prove new upper bounds on the information rate and the average 
information rate. These bounds are obtained by using the entropy approach by 
[7] and are the best possible for the considered structures since we exhibit secret 
sharing schemes that meet the bounds. In particular, we give the first proof of 
the existence of access structures with information rate and average information 
rate strictly less that 2/3. This solves a problem of [4]. In the second part we 
consider the problem of finding good lower bounds on the information rate and 
the average information rate and we give several general lower bounds that 
improve on previously known results. 
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2 Preliminaries 

In this section we review the basic concepts of Information Theory we shall use. 
For a complete treatment of the subject the reader is advised to consult [8] and 
[11]. We shall also recall some basic terminology from graph theory. 

Given a probability distribution {p(x)} X tX on a set X, we define the entropy 
of X, H(X), as 

tf(X) = -J>(x)logp(*) 2 . 

xeX 

The entropy H(X) is a measure of the average uncertainty one has about which 
element of the set X has been chosen when the choices of the elements from 
X are made according to the probability distribution {p(x)} xe x- The entropy 
enjoys the following property 

0< H(X) < log | X |, (1) 

where H(X) — 0 if and only if there exists x Q G X such that p(x 0 ) = 1; 
H{X) = log|X| if and only if p(ar) = l/\X\, for all xeX. 

Given two sets X and Y and a joint probability distribution {p(x, y)}x € x,ycY 
on their Cartesian product, the conditional entropy H(X\Y), also called the 
equivocation of X given Y, is denned as 

h(x\y) = piv)pi x \y) ]o $p(My)- 

ycY zeX 

The conditional entropy can be written as 

H(X\Y)= J £ l P(y)H(X\Y=y) 

where H(X\Y = y) = - J2 X eX P( x \v) ^°SP( x \y)- From the definition of condi- 
tional entropy it is easy to see that 

H(X\Y) > 0. (2) 

If we have n + 1 sets Xi,...,X n ,Y, the entropy of Xi ... X n given Y can be 
expressed as 

H(Xr . ..X n \Y) = ff(X : |Y) + H(X 2 \X 1 Y) + ■■■ + H(X n \Xx . ..X^Y) (3) 
The mutual information between X and Y is defined by 

I(X;Y) = H(X)-H{X\Y) (4) 
and enjoys the following properties: 

I(X;Y) = I(Y;X), (5) 
2 All logarithms in this paper are of base 2 
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and 

/(X;Y)>0, 

from which one gets 

H{X) > H(X\Y). (6) 

Given n + 2 sets X,Y, Z\, . . . , Z n and a joint probability distribution on their 
Cartesian product, the conditional mutual information between X and Y given 
Z\, . . . ,Z n can be written as 

I{XY\Z X ,...,Z n ) = H{X\Z X ,...,£„)- H(X\Z U Z n Y). (7) 

Since the conditional mutual information is always non negative we get 

H(X\Z u ...,Z n )>H(X\Z l ,...,Z n Y). (8) 

We now present some basic terminology from graph theory. A graph, G = 
(V(G), E{G)) consists of a finite non empty set of vertices V{G) and a set of 
edges E(G) C V(G) x V(G). Graphs do not have loops or multiple edges. We 
consider only undirected graphs. In an undirected graph the pair of vertices 
representing any edge is unordered. Thus, the pairs (X,Y) and (Y, X) represent 
the same edge. To avoid overburdening the notation we often describe a graph G 
by the list of all edges E(G). We will use reciprocally (X, Y) and XY to denote 
the edge joining the vertices X and Y. G is connected if any two vertices are 
joined by a path. The complete graph K n is the graph on n vertices in which any 
two vertices are joined by an edge. The complete multipartite graph K nun:it ...,n, 
is a graph on £^ i=1 n; vertices, in which the vertex set is partitioned into subsets 
of size n,- (1 < i < t) called parts, such that vw is an edge if and only if t; and w 
are in different parts. 

Suppose G is a graph and G\, ■ ■ - ,G t are subgraphs of G, such that each 
edge of G occurs in at least one of the G : 's. We say that IJ — {G\, . . . , G t } is a 
covering of G and if each G,-, i = 1, . . . , t is a complete multipartite graph then 
we say that IJ is a complete multipartite covering (CMC) of G. 

3 Secret Sharing Schemes 

A secret sharing scheme permits a secret to be shared among n participants 
in such a way that only qualified subsets of them can recover the secret, but 
any non-qualified subset has absolutely no information on the secret. An access 
structure A is the set of all subsets of P that can recover the secret. 

Definition 1. Let P be a set of participants, a monotone access structure A on 
P is a subset AC 1 2 P , such that 

A eA,A C A' C P A' eA. 

Definition 2. Let P a set of participants and AC2 P . The closure of A, cl(A), 
is the set 

cl(A) = {C\B E A and B C C C P}. 
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For a monotone access structure A we have A = cl(A). 

A secret sharing scheme for secrets s £ S and a probability distribution 
{p(s)}, e s naturally induce a probability distribution on the joint space defined 
by the shares given to participants. This specifies the probability that partici- 
pants receive given shares. 

In terms of the probability distribution on the secret and on the shares given 
to participants, we say that a secret sharing scheme is a perfect secret sharing 
scheme, or simply a secret sharing scheme, for the monotone access structure 
.4 C 2 P if 

1. Any subset A C P of participants not enabled to recover the secret have no 
information on the secret value: 3 

If A £ A then for all s £ S and for all a £ A it holds p(s\a) — p(s). 

2. Any subset AC P of participants enabled to recover the secret can compute 
the secret: 

If A £ A then for all a £ A a unique secret s € S exists such that p(s\a) = 1. 

Notice that the property 1. means that the probability that the secret is equal 
to s given that the shares held by A 0 A are a, is the same of the a prion 
probability that the secret is s. Therefore, no amount of knowledge of shares of 
participants not enabled to reconstruct the secret enables a Bayesian opponent 
to modify an a priori guess regarding which the secret is. Property 2. means that 
the value of the shares held by A £ A univocally determines the secret s £ S. 

Let P be a set of participants, and A be a monotone access structure on 
P. Following the approach of [13], [14], and [7] we can restate above conditions 
1. and 2. using the information measures introduced in the previous section. 
Therefore, we say that a secret sharing scheme is a sharing of the secret S 
among participants in P such that 

1'. Any qualified subset can reconstruct the secret. 

Formally, for all A £ A, it holds H{S\A) = 0. 
2'. Any non-qualified subset has absolutely no information on the secret. 

Formally, for all A £ A, it holds H(S\A) = H(S). 

Notice that H(S\A) — 0 means that each set of values of the shares in .4 cor- 
responds to a unique value of the secret. In fact, by definition, H(S\A) — 0 is 
equivalent to the fact that for all a £ A with p(a) ^ 0 exists s £ S such that 
p(s\a) = 1. Moreover, H(S\A) — H(S) is equivalent to state that S and ,4 are 
statistically independent, i.e., for all a £ A for all s £ 5, p(s|a) = p(s) and 
therefore the knowledge of a gives no information about the secret. Notice that 
the condition H{S\A) — H(S) is equivalent to say that for all a £ A it holds 
H(S\A = a) = //(S). 



To maintain notation simpler, we denote with the same symbol (sets of) partici- 
pants) and the set(s) from which their shares are taken. 
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3.1 The Size of the Shares 

One of the basic problems in the field of secret sharing schemes is to derive 
bounds on the amount of information that must be kept secret. This is important 
from the practical point of view since the security of any system degrades as the 
amount of secret information increases. 

Let P be a set of n participants and A C 2 F be an access structure on P. We 
denote by X £ P either the participant X or the random variable defined by the 
value of his share. Different measures of the amount of secret information that 
must be distributed in a secret sharing scheme are possible. If we are interested 
in limiting the maximum size of shares for each participant (i.e., the maximum 
quantity of secret information that must be given to any participant), then a 
worst-case measure of the maximum of H(X) over all X € P naturally arises. 
To analyze such cases we use the information rate of A defined as 



maxx ( p H(X)' 

for a given secret sharing scheme and non-trivial probability distribution Vs on 
the secret. This measure was introduced by Brickell and Stinson [6] when the 
probability distributions over the secret and the shares are uniform. In such a 
case the definition becomes p(A) — log ]5|/max A ' t -p log |A'|. The optimal infor- 
mation rate is then defined as: 

p (A) = sup 



T,<2 maxxeP H(X) ' 



where T is the space of all secret sharing schemes for the access structure A and 
Q is the space of all non-trivial probability distributions Vs- 

In many cases it is preferable to limit the sum of the size of shares given to 
all participants. In such a case the arithmetic mean of the H(X), X £ P, is a 
more appropriate measure. We define the average information rate as follows 

— , . . H(S) 
p(A,V s )= ( ' 



Ex cP H(X)/\P\' 

for a given secret sharing scheme and non-trivial probability distribution Vs on 
the secret. This measure was introduced in [3], [16], and [17] when an uniform 
probability distribution on the set of secrets is assumed. Blundo, De Santis, Stin- 
son, and Vaccaro [4] analyzed secret sharing schemes by means of this measure, 
when the probability distributions over the secret and the shares are uniform. 
If the secret and the shares are chosen under a uniform probability distribu- 
tion, considering previous measure is equivalent to consider the "average size" 
of the shares assigned to each participant to realize a secret sharing scheme. The 
optimal average information rate is then defined as: 
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It is clear that, for the same secret sharing scheme and non-trivial probability 
distribution Vs on the secret, the information rate is no greater than the average 
information rate, that is p > p and p = p if and only if all H(X), X 6 P, have 
the same value. As done in [4] we denote, for a graph G, the optimal information 
rate with p*{G) and the average information rate with p*{G). 

3.2 Auxiliary Results 

In this section we recall some auxiliary results. We will improve some of them 
in the next sections and we will use others in our constructions. 

Brickell and Stinson [6] proved the following lower bound on the information 
rate for any graph of maximum degree d. 

Theorem 3. Let G be a graph with maximum degree d, then 

In Section 4 we will show how to improve on it for odd d. Blundo, De Santis, 
Stinson, and Vaccaro [4] proved the following results for acyclic graphs 

Lemma4. Let G be a tree, then a secret sharing scheme for G exists with in- 
formation rate equal to 1/2. Thus p*(G) > 1/2. 

In Section 4 we will show how to improve this bound for any tree. 
The following result, proved in [4] will be used to obtain good secret sharing 
schemes for graphs with maximum degree 3. 

Theorem5. Let P n be a path of length n, n > 3. A secret sharing scheme for 
P n exists with optimal information rate 2/3. 

The following lemmas have been proved by Capocelli, De Santis, Gargano, 
and Vaccaro [7]; we will use them to find new upper bounds on the informa- 
tion rate of access structures. Since their proofs are simple, we report them for 
reader's convenience. 

Lemma 6. Let A be an access structures on a set P of participants and X, Y C 
P. LetY <£A and X U Y £ A. Then H(X\Y) = H(S) + H(X\YS). 

Proof. The conditional mutual information I(X[S\Y) can be written either as 
H(X\Y) - H(X\YS) or as H{S\Y) - H(S\XY). Hence, H{X\Y) - H(X\YS) + 
H(S\Y) - H(S\XY). Because of H{S\XY) = 0 for X U Y e A and H(S\Y) = 
H{S) for y^,we have H(X\Y) = H(S) + H(X\YS). □ 

Lemma 7. Let A an access structures on a set P of participants and X, Y C P. 
IfXUY^A then H(Y\X) = H(Y\XS). 

Proof. The conditional mutual information /(V, S\X) X can be written either as 
H(Y\X)-H(Y\XS) or as H{S\X) - H{S\XY). Hence, H(Y\X) = H(Y\XS) + 
H{S\X) - H{S\XY). Because of H(S\XY) = H(S\X) = H(S), for X U Y $ A, 
we have H(Y\X) = H(Y\XS). □ 
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Finally, we briefly recall a technique introduced in [4] to obtain lower bounds 
on the information rate of a graph G. 

Suppose G is a graph and G\, . . . , G n are subgraphs of G, such that each 
edge of G occurs in at least one of the Gi's. Suppose also that each Gi is a 
complete multipartite graph. Then we say that U = {Gi, . . ., G t } is a complete 
multipartite covering (or CMC) of G. Let II j - {Gji, . . . , Gj n ,}, j — 1,.--L, 
comprise a complete enumeration of the minimal CMCs of G. For every vertex 
v and for j = 1, . . .L define Rj v — \{i : v £ Gji}\ and consider the following 
optimization problem 0(G): 



Minimize T subject to: 

a ; > 0, 1 < j < L 



In citeBlDeStVa it is proved that if T* is the optimal solution to 0(G) then 
P'(G)>1/T\ 



4 Upper Bounds on the Information Rate and Average 
Information Rate 

In this section we will exhibit an access structure having information rate less 
than 2/3. This solves an open problem in [4]. The result is obtained using the 
entropy approach of [7] . 

Consider the graph ASk = (V(AS k ), E(ASk)), k>l, where 
V(ASk) — {^o, -^o, Xi, . . . , Xk,Xk+i, ■ ■ - t X 2 k} 

and 



E{AS k ) = {(Y 0 ,X 0 ), (X 0) X y ), (Xo,X k ), (X u X k+1 ), ...,(X k , X 2k )}. 
As an example, the graph AS k for k = 3 is depicted in Figure 1(a). 



156 





Y 0 



X 0 
Xq Xo Xq 





X4 X$ Xe 
(c) 



Theorem8. The optimal information rate of the graph AS k , k > 1, is 

and the optimal average information rate is 

^ ) = 3 + 9itT6- 
Proof: Consider the conditional entropy H(Xi . . . X k \Y 0 ). We have 

H{X V . ..X k \Y 0 ) = HiX^Ya) + H{X 7 \X X Y Q ) + • • ■ + H(X k \X x . ..X k -iY a ) (from (3)) 

> HiX^YoX^) + //(A' 2 |X L r 0 X i+3 ) + 
HiXalXiXjYaXt+a) + ■■■ + H(X k \X, . . . X k ^Y 0 X 7k ) (from (8)) 

> kH(S) (from Lemma 6 and (2)). 

On the other hand, we have also 

H(Xi...X t \Y a ) = H(X 1 ... X k \Y 0 S) (from Lemma 7) 

< H(X Q X l ...X k \Y 0 S) (from (3) and (2)) 

< H(X 0 \Y 0 S) + H(Xi\X 0 S) + ■■■ + H(X k \X 0 S) (from (3) and (8)) 
= H(X 0 17 0 ) - H(S) + ■■■+ H{X t \X 0 ) - H(S) (from Lemma 6) 

< H(X 0 ) + ■■■+ H(X k ) - (k + l)H(S) (from (6)). 

Therefore, we get 

H(X 0 ) + H(X 1 ) + ...+ H(X k )>(2k+l)H(S). (9) 
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From (9) it follows that there exists t£ {0, 1, . . ., k} such that 

Therefore, the optimal information rate of AS k p*(AS k ) is upper bounded by 



maxtf(X) _ 2k + 1 2 4* + 2" 
From (9) and from Lemma 6 it follows that 

2k 
:' = 0 

Therefore, the optimal average information rate of ASk is upper bounded by 

2k + 2 2 2 



3£ + 2 3 9£ + 6' 
Actually, 1/2 + 1/(4* + 2) is the true value of the optimal information rate. This 
value can be attained by using the CMC technique presented in [4] as solution 
of the following linear programming problem. 

Consider the following two minimal complete multipartite coverings of ASk 
Hi = {{Y 0 X a , X Q X, X Q X k } , { XyX k+1 X k X 2k }} 

n-2 = {{YoXa}, {X 0 X lt X\X k + { }, • ■ ■ , {X 0 X k ,X k X 2k }}. 

An example of these two covering of AS k are depicted in Figure 1(6) and 1(c) 
for k = 3. The matrix of entries Rj v is 

/ k k \ 

1 1 2~"~2 1~^~T 

1 k + 1 1 \ 

V ' 7k 7 

Hence the linear programming problem to be solved is the following: 
Minimize T subject to 

aj > 0, j = 1 : 2 
ai + a,2 = 1 

T>ai+(k+ l)a 2 
T > 2a x + a 2 

The optimal solution is 



Hence, p* c (AS k ) = {2k + l)/(k + 1), and this rate can be attained by tak- 
ing k copies of and one copy of Z7o- Thus, the optimal information rate 
of AS k is 1/2+1/(4^ + 2). The optimal average information rate equal to 
2/3 + 2/(9* + 6) can be attained by either IJ Y or J7 2 . O 
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Suppose that p(s) = l/\S\, for any s £ S. Above result and inequality (1) 
imply that any perfect secret sharing scheme for ASk must give to at least a 
participant a share of size greater than 2 — l/(k + 1) times the size of the secret. 

Theorem 8 is a generalization of Theorem 4.1 of [7]. In fact if we choose k = 1 
the access structure ASk is the closure of the edge-set of P3, the path on four 
vertices. 

In Appendix A are depicted all graphs on six vertices that have AS2 as 
induced subgraph and, therefore, have optimal information rate less than 3/5. It 
turns out that the optimal information rate for all those graphs is equal to 3/5, 
and all but one have also an optimal average information rate equal to 3/4. 

Using the previous theorem we can show the existence of access structures 
having average information rate less than 2/3, which represented the best upper 
bound known so far [7]. Consider the graph M.k, where 
V(M k ) = {X, ,X 2 ,..., X 2k+3 , X 2k+4 } and 

E(M k ) = {X 1 X2}(J{X2Xi,XiX k+i ,X k+i X 2k+3 \3 < i < k+2}\J{X 2k+3 X 2k+4 }. 
The graph M3 is depicted in Figure 2. The following theorem holds. 
Theorem 9. The optimal average infor-mation rate for M k , k~>\,is 

k + 2 

Proof : From Lemma 6 we get H{Xi) > H{S) and H{X 2k+4 ) > H(S), whereas 
from Theorem 8 we have 

(fc+2 

Y^H{Xi) > 2k + 1 

i = 2 



and 



Thus, 



Hence, 



2£+3 

H{Xi) >2k + \. 

%-k+3 
2fc+4 

]T H(Xi) >4k + 4. 
?(M k )< k + 2 



2k + 2 

It is easy to see that the following complete multipartite covering II of the graph 
M k meets this bound. 

n = ^{XiXo, x 2 x 3 , . . . , x 2 Xk4-2}, 

{X$X k+ 3, X k+ 3X 2k 4-3}, 



{X k + 2 X 2k+2 , ^2t + 2-^2i + 3}, 



□ 
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4.1 A iVP-completeness result 

A close look to the proof of the upper bound in Theorem 8 shows that it can be 
applied also to any access structure A on 2£ + 2 participants, Yq,Xq, X\, . . . , Xok, 
such that the set A-sdlowed defined as 

A-allowed= {Y Q X 0 }[j{X Q X i , XiX k+i \l < i < k} 

is in the access structure, i.e. A-allowed C A, but the set A-forbidden defined as 

A-forbidden = {X X X 2 - . . X k Y 0 ] \J{Y 0 X k+l } (J{*i • • ■ XiY 0 X k+i+1 \l < i < k-1} 

has no intersection with the access structure, i.e. A-forbidden f]A = 0. Let B k 
be the set of all access structures which satisfy the above requirements. The 
sequence (Xi,Xi, . . . , X k ) is called the children list of access structure A (the 
name is inspired by the fact that the set A-allowed has the form of a tree). 
To maintain simpler notation we denote a set {ai,a2, ■ ■ - .On} by the sequence 
aiQ2 . . ,a n - In case the access structure is the closure of a graph, the set ^4- 
forbidden can be written as 

.4-forbidden-edges = {Y 0 X,|1 < i < 2k} \J{XiXj\l < i < j < k] 
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\J{X i Xk +j \l<i<j<k}. 

Let A be an access structure on a set P of participants. Given a subset of 
participants P' C P. we define the access structure induced by P' as the family 
of sets AlP 1 ] - {x 6 A\x C P'}. Extending Theorem 3.3 of [6] to general access 
structures and using Theorem 8 we can prove the following theorem. 

Theorem 10. Let A be an access structure on a set P of participants and P' C 
P. If A[P'} 6 Bk, where k > 1, then the optimal information rates for A and 
A{P'} satisfy 

and optimal average information rate for A[P'\ satisfies 

Above theorem gives an upper bound on the information rate of access structures 
given that the access structure induced by a subset of participants is in Bk- 
Unfortunately, testing for this property is an hard computational problem, as 
we show that this is NP-complete. Let A be an access structure, a set C £ A is a 
minima/set of A if it does not contain any set in A\{C}. Define the BOUNDED- 
INFORMATION-RATE problem as follows: Given a set of participants P and 
an access structure ,4 defined by the family of minimal sets which can recover 
the secret and a positive integer determine if there is a subset P' C P such 
that the induced access structure A[P'} is in Bk- 

Theorem 11. BOUNDED-INFORMATION-RATE is NP-complete. 

Proof. The proof will be given in the final version of the paper. □ 

4.2 Upper bounds for more general access structures 

A general technique to upper bound the average information rate p'(G), of 
graphs G who have one or more induced subgraphs of a given form is given 
below. 

If G is a graph and V\ C V{G), then we define the induced graph G[V\] to 
have vertex set V x and edge set {XY G E{G) : X,Y £V X ). 

Let G be a graph. We define a subgraph Fa of G, that we will call the 
foundation of G, in the following manner. This is an extension of the notion 
of foundation presented in [4], Let X € V(G). Let k be the maximum integer 
such that there is a set V of 2k + 1 vertices Y 0 , X x , . . . , X 2 k € V(G) such that 
the induced subgraph G[V U {X}} is in B k ; that is, E(G[V U {X}}) contains 
the set A-allowed but does not contain any edge in the set A-forbidden-edges. 
Clearly k < deg(X), where deg(X) is the degree of vertex X. A set V satisfying 
above properties is called a X-set of vertex X, with size k. Denote by f x . x „. x 
the set of edges XX,, i — l,...,k. We call f x . x x ^ the local foundation of 
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vertex X and X-set V and we call the vertices X 1 , . . . , Xk descendants of X in 
fx x, • Let {Vi, . . ., V m } be the family of all X-sets of vertex X G V(G), 
and {f£ , . . . , f x x } be the family of the corresponding local foundations. Observe 
that this approach might not be feasible for large values of m, since m might be 
exponentially large in the worst case. Now we can define the foundation Fq of a 
graph G as follows 

Fa = {&,..■ ,f? x \XZV{G)}. 
If Q is in F<j, the foundation of a graph G, and Xi, . . . , Xk are descendants 
of X 0 in /; o , then by Theorem 8, we have H(Xi) > (2k + l)H(S) for any 

secret sharing scheme with access structure cl(E(G)). Consider the following 
linear programming problem -4(G): 



Minimize 




subject to: 






a x > 0, X € V(G) 


ax„ + • ■ 


+ a Xk >k , X 0 e V{G), P Xq e and 




X\ Xk descendants of X 0 in /' 



The following upper bound on the average information rate holds. 

Theorem 12. Let G be a graph with foundation G\. Let C* be the optimal 
solution to the problem A(G). Then 

?-(C)< I"' 0 ' 1 



C- + \V(G)\ 

Proof. The proof will be given in the final version of the paper. □ 



5 Lower Bounds on Information Rate and Average 
Information Rate 

In this section we will give several general lower bounds on the information rate 
and on the average information rate of access structures represented by graphs. 

We first improve on the bound of Theorem 3 for graphs with n vertices and 
odd maximum degree d. 

Lemma 13. Lei G be a graph of n vertices and maximum degree d, d odd. Then 
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Proof. Let Adj(X), Inc(X), degree-one(X) be the following sets : 

- Adj(X) = {Y : (A', Y) 6 E} 

- Inc(X) = {(X,Y):(X,Y)€E} 

- degree.one{X) - {Ye Adj{X) : \Inc(Y)\ = 1} 

Let X € V{G) and G x be a subgraph of G such that K(G*) = {X}[jAdj{X) 
and E(G X ) — Inc(X). It is well known a secret sharing scheme for G x exists 
with information rate equal to 1 [G x is a complete multipartite graph). Consider 
the graph G' where V(G') = V(G)-{X}[Jdegree.one(X) and E(G') = E(G)~ 
Inc(X). We realize a secret sharing scheme for G', for a secret of one bit, using 
the technique showed in Theorem 3.8 of [BrSt]. Each vertex in Adj(X) f] V(G') 
gets at most \(d — l)/2] + 1 bits while other vertices get at most [d/2~] + 1 bits. 
A secret sharing scheme for G can be realized joining the scheme for G x and the 
scheme for G'. In this scheme the vertex X will receive one bit, the vertices in 
Adj(X)f\V{G') will receive at most \(d - l)/2] + 2 bits, while other vertices 
will get at most [d/2] + 1 bits. Since \(d - l)/2] + 2 = [d/2] + 1, if d is odd, 
there is a secret sharing schemes for G, for a secret consisting of a single bit, that 
gives to each vertex in G at most [d/2] + 1 bits while a predeterminated vertex 
gets only one bit. If we consider n of these secret sharing schemes, one for each 
vertex in V, and then we compose them, we can realize a secret sharing scheme, 
for a secret of n bits, giving to each vertex at most 1 + (n — l)([d/2] + 1) bits, 
so we can realize a secret sharing scheme with an information rate equal to 

1 

[d/2] + 1- I'd/21 /n' 

and the lemma follows. □ 

For a graph G of maximum degree 3, the bound of [6] gives p*{G) > 1/3 
while the bound of lemma 13 gives p*{G) > 1/(3 - 2/n). The following lemma 
gives an improved bound. 

Lemma 14. Lei G be a graph of maximum degree 3. Then, p'(G) > 2/5. 

Proof. Consider a covering C of G consisting of maximal length paths Pi , . . . , P m ■ 
It is well know a secret sharing scheme for a path exists with an optimal infor- 
mation rate equal to 2/3 (see Theorem 5), this scheme, for a secret of two bits, 
gives two bits to terminal vertices in the path while other vertices gets three 
bits. We can realize a secret sharing scheme for G, for a secret of two bits, using 
secret sharing schemes, with optimal information rate, for the paths belonging 
to C. A vertex of G of degree one can only be a terminal vertex of a path so it 
receive two bits. If a vertex has degree two then it belongs to only one path and 
it receives three bits, it cannot be a terminal vertex of two different paths since 
we consider a covering of maximal length paths. If a vertex has degree three then 
it can't belong to three different paths since we consider a covering of maximal 
length paths so it belongs to two paths, it is a terminal vertex of a path and 
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it is a central vertex of another path and it gets totally five bits. Thus we can 
construct a secret sharing scheme for G, giving to each vertex at most five bits 
for a secret of two bits obtaining a secret sharing scheme with information rate 
equal to 2/5. □ 

If we know the number of vertices in the graph G then we can improve 
previous bound as stated by next lemma. 

Lemma 15. Let G a graph of maximum degree 3 with n vertices. Then, 

P*(G) > — \-. 

5 — 6/n 

Proof. Let G x , with X 6 V(G), be the graph defined in Lemma 13. Consider 
the graph G' where V(G') = V[G) - {X} \J degree.one(X) and E(G') = E{G) - 
Inc(X). We realize a secret sharing scheme for G' } for a secret of two bit, using 
the technique showed in Lemma 14. Each vertex Y G Adj(X) f)V(G') gets at 
moat 3 bits, since \Inc(Y)\ < 2, while the other vertices get at most 5 bits. 
A secret sharing scheme for G can be realized joining the scheme for G x and 
the scheme for G'. Thus wc can realize a secret sharing scheme for G, for a 
secret consisting of two bits, giving two bits to a predeterminated vertex while 
other vertices get at most five bits. If we consider n of these schemes, one for 
each vertex, and then we compose them we obtain a secret sharing scheme for a 
secret of 2n bits giving to each vertex at most 2 + 5(n — 1) = 5n — 3 bits so the 
information rate for this scheme is 2/(5 — 3/n). □ 

Applying the same reasoning of Lemma 14 to graphs of odd degree d leads 
to the bound p"{G) > l/([d/2]1.5 + 1) which is worse than previous bounds. 

Regardless of the degree, it is possible to obtain better bounds for trees. We 
recall that an internal node is a vertex of degree greater than one. 

Lemma 16. Let G be a tree with n internal vertices. Then 

In — 1 

Proof. In [4] was showed how to obtain a secret sharing scheme for any tree with 
information rate equal to 1/2. This scheme, for a secret consisting of a single 
bit, gives one bit to a predeterminated vertex X € V(G) and to all non-internal 
vertices, whereas each other vertex gets two bits. We will use this construction 
as basic construction. If we consider n of these schemes, one for each internal 
vertex, and we compose them then it is possible to realize a secret haring scheme 
for G, for a secret of n bits, giving to each vertex at most 2(n — l)+l=2n— 1 
bits. Thus 

□ 
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If only the number of vertices are known, what can we say on the information 
rate of a graph G? The maximum degree of G can be as bad as n — 1. Thus, the 
bound of [6] gives p*(G) > l/(f(n - l)/2] + 1), while the bound of Lemma 13 
gives p"(G) > l/(["(n - l)/2] + 1 - \(n - l)/2"|/n), if n is even. 

In this last part of the paper we present general lower bounds on the infor- 
mation rate and average information rate for any graph G with n vertices. The 
lower bounds are obtained by using known results on the covering of the edges 
of a graphs by means of complete bipartite graphs. We first recall that Brickell 
and Davenport [5] proved that a graph G has information rate 1 if and only if 
G is complete multipartite graph. 

Tuza [22] proved that the edge-set of an arbitrary graph G can be covered by 
complete bipartite subgraphs such that the sum of the number of the vertices of 
such subgraphs is less than 3n 2 /21ogn + o(n 2 / logn). Using the above quoted 
result by Brickell and Davenport we get that the optimal average information 
rate for any graph G with n vertices is greater than n times the inverse of 
3n 2 /21ogn + f(n), where \f(n)\ < tn 2 /logn, for all e > 0 and sufficiently large 
n. Therefore, the average information rate is greater than 21ogn/3n + g(n), 
where \g(n)\ < (2£/3(t + 3/2)) log n/n, if \f{n)\ < en 2 /logn. 

Feder and Motwani [10] proved that the problem of partitioning the edges of 
a graph G into complete bipartite graphs such that the sum of the cardinalities 
of their vertex sets is minimized is NP-complete. However, they proved that the 
edge set of a graph G = (V,E), with \V\ = n and \E\ — m can be partitioned 
into complete bipartite graphs with sum of the cardinalities of their vertex sets 

^( '"logn" ")' an< ^ presented an efficient algorithm to compute such a partition. 
Using their result, it follows that there is a secret sharing scheme with average 
information rate at least fi( nto R" o ). 

Finally, we recall a result of Erdos and Pyber [9] (see also [18]) which states 
that edges of a graph G with n vertices can be partitioned into complete bipartite 
graphs such that each vertex of G is contained by at most 0(nj logn) complete 
bipartite graphs. This result directly implies that the optimal information rate 
of G is p*(G) = £2 (^) . 

These results can be summarized in the following theorem. 

Theorem 17. Let G be a graph with n vertices and m edges. Then, the optimal 
average information rate for G satisfies 

P i G ) > ■ + 0 

6n \ n 

and 

n log n \ 



p*(G) - Q 



mlog£ 

The optimal information rate for G satisfies 

P*(G) = Q( l ° gn 
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It is worth pointing out that if G is a sparse graph, i.e., m — an, where a 
is a constant, then above theorem implies that p*(G) is limited from below by a 
constant. This result describes a wide class of graphs having average information 
rate that does not go to zero as the number of participants increases. 
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Appendix A 

In this appendix we analyze all graphs who have optimal information rate less 
than 2/3 accordingly to Theorem 10. The schemes for these graphs are obtained 
by using the Multiple Construction Technique [4] based on complete multipartite 
coverings of the graph. The optimal information rate is not greater than 3/5 and 
the optimal average information rate is less than or equal to 3/4 for all graphs 
from Theorem 10. All these results are summarized in Table 1, and the first 
CMC of each graph gives the scheme with average information rate showed 
in Table 1. Below are depicted some of the minimal CMCs for 5 graphs on 6 
vertices. 
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B 

a b 

i V 

E P 

C E C i 

ABBDF a b d 
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Table 1. Information Rate and Average Information Rate 



Graph 


Information Rate 


Average information Rate 




p* = 3/5 


r = 3/4 


G s 


p' = 3/5 


2/3 <p'< 3/4 



New General Lower Bounds on the Information 
Rate of Secret Sharing Schemes 
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Lincoln, NE 68588-0115, U.S.A. 
stinsonCbibd. unl . edu 

Abstract. We use two combinatorial techniques to apply a decompo- 
sition construction in obtaining general lower bounds on information 
rate and average information rate of certain general classes of access 
structures. The first technique uses combinatorial designs (in particular, 
Steiner systems 5(1, k, v)). The second technique uses equitable edge- 
colourings of bipartite graphs. For uniform access structures of rank t, 
this second technique improves the best previous general bounds by a 
factor of t (asymptotically). 

1 Introduction and Terminology 

Informally, a secret sharing scheme is a method of sharing a secret key K among 
a finite set of participants in such a way that certain specified subsets of par- 
ticipants can compute the secret key K. The value K is chosen by a special 
participant called the dealer. 

We will use the following notation. Let V = {Pi : 1 < i < w} be the set of 
participants. The dealer is denoted by D and we assume D £ V ■ K is key set 
(i.e. the set of all possible keys) and S is the share set (i.e. the set of all possible 
shares). Let f be a set of subsets of V; this is denoted mathematically by the 
notation r C 2 V . The subsets in r are those subsets of participants that should 
be able to compute the secret. r is called an access structure and the subsets in 
r are called authorized subsets. 

When a dealer D wants to share a secret K € £, he will give each participant 
a share from S. The shares should be distributed secretly, so no participant knows 
the share given to another participant. At a later time, a subset of participants 
will attempt to determine K from the shares they collectively hold. We will say 
that a scheme is a perfect secret sharing scheme realizing the access structure T 
provided the following two properties are satisfied: 

1. If an authorized subset of participants B C V pool their shares, then they 
can determine the value of K. 

2. If an unauthorized subset of participants B C V pool their shares, then they 
can determine nothing about the value of K . 

E.F. Bnckell (Ed.): Advances in Cryptology - CRYPTO '92, LNCS 740, pp. 168-182, 1993. 
© Springer-Verlag Berlin Heidelberg 1993 
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The security of such a scheme is unconditional, since we do not place any limit 
on the amount of computation that can be performed by a subset of participants. 

Suppose that B €. T, B C C CV and the subset C wants to determine K. 
Since B is an authorized subset, it can already determine K. Hence, the subset 
C can determine K by ignoring the shares of the participants in C\B. Stated 
another way, a superset of an authorized set is again an authorized set. What 
this says is that the access structure should satisfy the monotone property: 

if B £ r and B C C C V, then C £ P. 

If r is an access structure, then B £ P is a minimal authorized subset if 
A g r whenever A C B, A ^ B. The set of minimal authorized subsets of P is 
denoted 2"b and is called the basis of P. Since P consists of all subsets of V that 
are supersets of a subset in the basis Po, P is determined uniquely as a function 
of Jo- Expressed mathematically, we have 

r = {C C V : B C C, B £ p 0 }. 

We say that P is the closure of P 0 and write P = d(P 0 ). 

We define the rank of an access structure P to be the maximum cardinality 
of a minimal authorized subset. An access structure is uniform if every minimal 
authorized subset has the same cardinality. Observe that the rank of P is two if 
and only if P = cl(E(G)), where E{G) denotes the edge set of a graph G. 

We now briefly describe a general mathematical model for secret sharing 
and discuss the concept of security. In this model, we represent a secret sharing 
scheme by a set T of distribution rules. A distribution rule is a function 

/ : V U {D} — K U 5 

which satisfies the conditions f(D) £ /C, and /(Pi) £ 5 for 1 < i < w. A 
distribution rule / represents a possible distribution of shares to the participants, 
where f(D) is the secret key being shared, and /(Pi) is the share given to Pi. 
If T is a set of distribution rules and if £ AC, denote 

Tk = {/ £ T : f(D) = K}. 

If if £ AC is the value of the secret that D wishes to share, then D will choose a 
random distribution rule / £ Tk, and use it to distribute shares. 

Suppose r is an access structure and T is a set of distribution rules. Suppose 
the following two properties are satisfied: 

(*) Let B £ r, and suppose f,g £ T. If /(Pi) = g(Pi) for all Pi € B, then 
f(D) = g(D). 

(**) Let B £ r and suppose / : B —* S. Then there exists a non-negative 
integer A(/, B) such that, for every K £ AC, 



\{9 S T K : ? (Pi) = /(Pi)VP, £ B}\ = A(/,B). 
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Then T is a perfect secret sharing scheme that realizes the access structure T '. 
The property (*) is relatively straightforward: it says that the shares given to an 
authorized subset uniquely determine the value of the secret. The property (**) 
guarantees that the shares given to an unauthorized subset give no information 
as to the value of the secret. The list of shares (f{Pi) ■ Pi € B) given to an 
unauthorized subset B will restrict the possible distribution rules to some subset 
of T. However, the remaining possible rules will be equally divided among the 
possible keys. More precisely, for any assignment of shares / to B, there will 
remain A(/, B) possible rules corresponding to each value of the secret. The 
formal security proof uses probability distributions; it can be found in [9]. 

As an example, in Figure 1 we present a perfect secret sharing scheme from 
[9] for the access structure having basis 

C 6 = {{A, B}, {B, C}, {C, D], {£>, E}, {E, F}, {F, A}}. 

(Ca ia the graph which is a cycle of length six.) 



Fig. 1. A Secret Sharing Scheme For Cs 
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The construction of secret sharing schemes for arbitrary access structures has 
been studied by several researchers. General construction methods are described 
in [14, 1, 21, 20], 

2 Information Rate 

We measure the efficiency of a secret sharing scheme by the information rate. 
Suppose T is a set of distribution rules for a secret sharing scheme. For 1 < i < w, 
define 

Si = {/(Pi) : / e 
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Si represents the set of possible shares that Pi might receive; of course Si C S. 
Now, since the secret key K comes from a finite set fC, we can think of as 
being represented by a bit-string of length log 3 \ fC\, by using a binary encoding, 
for example. In a similar way, a share given to Pi can be represented by a bit- 
string of length log 2 \Si\. Intuitively, Pi receives log 3 \Si\ bits of information (in 
his or her share), but the information content of the secret is log 3 \IC\ bits. The 
information rate for P{ is the ratio 

_ logs |£| 

The information rate [9] of the scheme is denoted by p and is denned as 

p = min{p; : 1 < i < w}. 

The average information rate [3, 17], denoted by p, is the harmonic mean of the 
Pi's: 

_ w tflog 2 \JC[ 

p= EE7F = Er=ii°B a i«*r 

The scheme of Figure 1 has p — p = log 3 2/ log 2 3 as .63. (This is not optimal: 
the optimal scheme has rate 2/3 [4].) 

It is easy to prove that p < p < 1 in any scheme, and that p — 1 if and only 
if p — 1. Since p = p = 1 is the optimal situation, we refer to such a scheme 
an ideal scheme. Ideal schemes have been studied extensively; see for example 
[7, 8, 17, 15, 18]. In the cases where ideal schemes do not exist, the objective is 
to construct a scheme with (average) information rate as close to one as possible. 
Research in this direction can be found in [9, 10, 4, 22, 16]. 

3 A Decomposition Construction 

Our main recursive construction uses small schemes as building blocks in the 
construction of larger schemes. We call this the decomposition construction. 
Note that various versions of this construction have been described in several 
papers, such as [9, 4, 22, 17, 16]. 

We will use the notation P5(P, p, q) to denote a perfect secret sharing scheme 
with access structure c/(T) and information rate at least p for a set of q keys. 
Analogously, a perfect secret sharing scheme with access structure cl(r) and av- 
erage information rate at least ^ for a set of q keys will be denoted by PS[r, p, q). 

Suppose r is an access structure having basis 2~o. A decomposition of Jo 
consists of a set {fj, . . . , r n } such that the following properties are satisfied: 

1. A Q T 0 for 1 < k < n 

Often, {Pi, . . . , r n } will form a partition of r 0 , but this is not a requirement. 
For 1 < jfc < n, define V k = U Berk B; V k denotes the set of participants in a 
scheme with access structure c/(Ti). 

We present the following two results, both of which use the same construction. 
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Theorem 1. Let P be an access structure on w participants having basis Po i* 1 ^ 
suppose thai {Pj, . . ., P n } is a decomposition of P 0 . Let q be an integer and for 
1 < k < n, suppose there exists a PS(P t , g). Por 1 < i < w, let 

Ri - = r- 

Then there exists a PS(r, p, q), where 

p = mm{Ri : 1 < i < w}. 

Theorem 2. Let P be an access structure on w participants having basis Po and 
suppose that {Pi, . . ., P n } is a decomposition of Po. Let q be an integer and for 
1 < k < n, suppose there exists a P5(Pjt, Pk,<l)- Then there exists a PS(r,p, q), 
where 

_ Ul 

P 



Remark. If we define 



for 1 < i < w | then 



P = 



Eta i 
i=1 



Proof. Let /C be a fixed set of q keys. For 1 < k < n, let J 17 * denote the distribu- 
tion rules in a PS(Pfc, p*., q) with key set K. For any K S £, and for 1 < £ < n, 
we have 

^ = U 

where consists of the distribution rules in J 7 * for which the key value is K. For 
1 < k < n, suppose /£• € T^. Define a distribution function f% x /£- x . . . x 
which gives to each participant P, the list of shares 

(fK(Pi)--Pje-Pk). 

We construct a PS[P,p,q) in which T — UkzzFk, where 

?K = {ftc * /* x . . . x fl : f k K e 1 < A < n}. 

The verifications and the computation of the information rate are straightfor- 
ward. □ 
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Let us look at an example to illustrate these constructions. Consider the 
access structure having basis 

To = {{A, B}, {A, C}, {B, C}, {C, D}, {C, E}, {D, E}, {E, F}, {E, A), {F, A}}. 

Consider the decomposition 

A = {{A, B), {B, C}, {C, D}, {D, E), {E, F}, {F, A}} 
r 2 = {{A,C},{C, E},{E,A}}. 

We have already seen in Fig. 1 that there is a PS(.Ti, 2, log 2/ log 3). For all q > 3, 
a PS(r-2,q, 1) exists from [9]. However, in order to apply the decomposition 
construction, we need schemes with the same number of keys. This creates no 
problem, as it follows from [9] that a PS(A, 2, log2/ log 3) implies the existence 
of a F5(r 1 ,2-' ,log2/log3) for all j > 1. So we can take q - 2 J , j > 2. From 
Theorem 1 we get a PS(r,2,p) where p - log2/log6 ss .38, and Theorem 2 
yields a PS(r, 2,p) where p = log 4/ log 18 a .47. 

However, if we use a different decomposition, we can do better. Define 

r 3 = {{A,B} 1 {B,C},{A,C}} 
r< = i{C,D},{D,E},{C, E}} 
r s ={{E,F},{F,A},{E,A}}. 

For any q > 3, there exists a PS(I\, 1) for i = 3,4,5, and we obtain a 
PS(r,q,l/2) and a P5(r, 9, 2/3). 

This scheme could be implemented as follows: Suppose q > 3 is prime and 
let K = GF{q). Then T K = {/ ri , r „ rj ,* : r lt r 2 , r 3 e Gf (?)}, where 

fr^nM*) = {r3,2K + r 5 ) 
/, ll r Jl r 3 ,jr(B) = K +r 3 

fri.T a ,T it K(D) = K + r * 

f TuT , <T}iK {E) = {r 5 ,2K + U ) 

fr l ,n,r i ,K{F) = K + r 5 . 

In the remaining sections of this paper, we use two combinatorial techniques 
to apply the decomposition construction in obtaining general lower bounds on 
information rate and average information rate of certain general classes of access 
structures. The first technique uses combinatorial designs (in particular, Steiner 
systems S(t, k, v)). (Due to a lack of knowledge of infinite classes of Steiner 
systems for t > 3, this technique is applicable primarily to access structures of 
ranks two and three.) The second technique uses equitable edge-colourings of 
bipartite graphs. We first give a new proof of a result proved by Brickell and 
Stinson [9] which applies to access structures of rank two. Then we describe 
some generalizations to access structures of higher rank which improve the best 
previous general bounds by a factor oft (asymptotically). 
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4 Applications Using Steiner Systems 

4.1 Two Corollaries of the Decomposition Construction 

In this section we discuss applications of the decomposition construction using 
combinatorial designs. A Steiner system 5(t, &, w) is a pair (X, A), where X is a 
set of w elements (called points) and A is a set of Jfe— subsets of X (called blocks), 
such that every t— subset of points occurs in exactly one block. An S(t,k,u>) is 
said to be non-trivial if t < k < w. We note that no non-trivial Steiner systems 
are known to exist for t > 5, and very few are known to exist for t > 3. For 
general information on the existence of Steiner systems, we refer to [2]. 

Suppose r is an access structure of rank i on u participants, having basis 
r 0 . Suppose also that (X , -4) is an S(t, k,w). We can use (X, A) to construct a 
decomposition of r 0 , as follows: For every block A € A, define 

r A = {Ber 0 -.Bc a}. 

Then {J 1 ^ : A £ -4} is a decomposition of i~b (observe that it is a partition if 
and only if P is uniform). 

Now suppose that we compute values T kit and q ktt such that there exists 
a PS(r', *k,u <JJe,t) f° r an y acces3 structure T 1 of rank < t on k participants. 
Now, in the Steiner system, elementary counting shows that each point occurs 
in exactly { k t Zl) blocks. Hence, when we apply Theorem 1, we get 

for every point i. The resulting scheme is a PS(r, p, q k>t ) for p = Tjt it {\Zi) /Ct-i) • 
Summarizing, we have the following result. 

Theorem 3. Suppose r is an access structure of rank t on w participants, 
and suppose that an S(t,k,w) exists. Suppose there exists a PS(J", fl'jfe.ti 1k,t) 
for any access structure P' of rank < t on k participants. Then there exists a 
PS(r,p,q k , t ) /«rp=i ilt (J;|)/K). 

For average information rate, we get the following similar result by applying 
Theorem 2. 

Theorem 4. Suppose r is an access structure of rank t on to participants, 
and suppose that an S(t,k,w) exists. Suppose there exists a PS(P' ,*k,t><ik,t) 
for_ any access structure J" of rank < t on k participants. Then there exists a 

ps(r,p,q k , t ) for p = * k , t { k -D 
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4.2 Graph Access Structures 

The situation that has been studied the most is when the basis consists of the 
edges of a graph (i.e. the access structure has rank two); see [9, 4, 10], for 
example. If G is a graph, then we will denote the vertex set of G by V(G), the 
edge set by E{G), and a PS(cl(E(G)), p,q) by PS{G,p,q). 

Considerable attention has been paid to the graphs on at most five vertices. 
Lower bounds on the (average) information rate have been obtained in [4] by 
applying various versions of the decomposition construction. The following result 
updates the bounds of [4]: 

Theorem 5. 1. If G is a graph, with. \V(G)\ < 3, then there is a PS(G,l,q) 
for any prime power q > 3. 

2. If G is a graph with \V(G)\ = 4, then there is a PS(G,2/3,q 2 ) and a 
PS(G, 4/5, q) for any prime power q > 4. 

3. If G is a graph with \V(G)\ = 5, then there is a PS(G, 2/3, q 2 ) and a 
PS(G, 5/7, q) for any prime power q > 5. 

Proof. The only cases left unresolved in [4] concern the following four graphs on 
five vertices: 



E D 




B C ABC D 



D B D E 




B C A B 



For G12, we produce a scheme which is simultaneously a PS(Gi 2 , 2/3, q 2 ) 
and a P~S(G l2 ,2/3),q 2 ) t where q > 5 is a prime and K. = (GF(q)) 2 . For each 
K = {Ki, K 2 ) € £, ?k = {/r 1 ,r 3 ,r3,r 4 ,r, ) /f ■ r lt r 2 , r 3 , r 4 , r 5 G GF{q)}, where 

/r lp r 3l r 3 ,r <> r„A-(j4) = (l"l, r 4 , r S + Ki + 3^) 
f'-l,r 3 ,r i ,r tl r t ,K[B) = (r 2 , r 5 , r X + Kl) 
fri,r 3 ,r 3 ,r„r it K(C) = (r 3 , r : , r 2 + K 2 ) 

fri,r„r 3 ,T t ,r t ,K{D) = (r 4 , r 2 , r 3 + K J + K 2 ) 
/-i,r3 I r 3l r 4l r„jr(5) = (rs, r 3 , r 4 + Ki + 2K 2 ). 

For G13, we exhibit a scheme (constructed by Dean Hoffman) which is si- 
multaneously a PS(G 13 ,2/Z,q 2 ) and a PS(G 12 , 10/13), q 2 ), where q > 3 is a 
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prime and K. = (GF(q)) 2 . For each K = (K U K 3 ) € K, T K = {/ ril „ irjl , lJr : 
t\>t-x,t z ,t+ € GF(q)}, where 

/'i,r 3l r,,r 4l jc(^) = (^1 + Ki,r 2 ) 

fri.r,,r s ,T t ,K(B) = (n.rj + K 2 ,r 3 ) 
/'•i,r 3l r il r 4l A-(C) = (r a , r 3 + K u u) 

/r l ,r 3 ,r J ,r,,A'(-D) = (r 3) r 4 + #2) 

frur»r„r t ,K(E) = (n + r 4 + + iT 2l r 4 + if 2 , r 2 - r 3 ). 

For G 14 , we produce a scheme which is a PS(G 12 , 2/3, q 2 ), where $ > 5 is a 
prime and K = (GF(q)) 2 . Ror each K = (K u K 2 ) € K, T K = {/r^,,,^.,^,* : 
^l, r 2 , r 3 , r 4 , r 5 £ G.F(g)}, where 

/'i.ra,r Jl r 4 ,r„Jf(.A) = (^l + K lt T 2 + K 2 , r 4 ) 

/'x,r» t f,,r 4l r. 1 jf(B) = (r lf r 4 + Jf x + 2isT 2 , r 5 ) 

/'i.r,.r„r 4 ,r 1 ,Jc(C) = (n + J?!, T 3 + 2Cl + ifj, T 5 + 2K X + K 2 ) 

fri.r a ,r s ,r t ,r t ,K(D) = (r 2 , r 4 + 2^ + 4K 2 , r 5 + 2*^ + K 2 ) 

fri,r3,r3,r t ,r t ,K{E) — (*" 2 + ^2, r 3, r 5 ). 

Finally, for G i5 , we produce a scheme which is a PS(Gi 2 , 2/3, q 2 ), where 
q > 5 is a prime and £ = (GF(g)) 2 . For each X = {K lt K 2 ) £ £, Fx = 
{fr U T2,T J ,T t ,r s ,K • ri,r 2 , r 3 , r 4 , r 5 e GF{q)}, where 

/ri,r a ,r 3 ,r 4 ,r,,if U) = Ol + K U r 4 , T 5 + Jfj + 2X" 2 ) 

/'i.'- J .r, 1 r 4l r ll if(B) = (r 2 + Jf 3l r 4 + 2^i + JC 2 , r s ) 
/n,r 3 ,r 3 ,r 4 ,r 5 ,x(C) = (r 3 , r 4 + 4Jf L + 2iT 2 , r s + 2^ + 4X 2 ) 
/'i.'i,'- 1 .r 4 .r tl jr(I>) = Oi, r 3 + K l + K 2 ,T4 + 2Ki + K 2 ) 

/'i,r a ,r 3 ,r 4> r.,A-(^) = (r 3 , r 3 + + # 2 , r 5 + ifj + 2K 2 ). 

n 

Remark. With the schemes presented above, the optimal value of the informa- 
tion rate and average information rate is now determined for all graph access 
structures on at most five vertices. In each case, the upper bound presented in [4] 
turns out to be the correct value. Also, the constructions for Gi 2 , G i4 and G\% 
are based on a new generalization of the decomposition that we will present in 
a forthcoming paper. Finally, we remark that minor modifications of the above 
constructions will produce schemes where the number of keys is a prime power. 

Using the notation of Section 4.1, we can take tt 3i2 = 1, tt 4i2 = 2/3, and 
*"s,3 = 2/3; t 3)2 = 1, x 4>2 = 4/5, and t S|2 = 5/7. 

In order to apply Theorems 3 and 4, we need information about Steiner 
systems 5(2, k, w) for k = 3, 4, 5. This information is summarized in the following 
theorem: 
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Theorem 6. [13] Suppose 3 < jfc < 5. Then there exists an 5(2, jfc, w) if and only 
if w = l,k (mod Jfc (jfc - 1)). 

We obtain lower bounds on the (average) information rate of any graph on 
w vertices that are presented in Table 1. For example, we see that there is a 
PS(G, 1/3,9) for any graph G having seven vertices, where q > 3 is a prime 
power. 



Table 1. Bounds on the Information Rate for Access Structures of Rank Two 



k 


w 


lower bound on p or p 


number of keys 


3 


w = 1, 3 (mod 6) 




q, where g > 3 is a prime power 


4 
4 


w = 1,4 (mod 12) 
w = l,i (mod 12) 


p> =£r 
— 12 


q 1 , where q > 3 is a prime power 
q, where q > 4 is a prime power 


5 
5 


w~l,5 (mod 20) 
w = 1, 5 (mod 20) 


. * 

P ± l(w-l) 
P> T(«-l) 


q 2 , where q > 5 is a prime power 
g, where q > 5 is a prime power 



It is interesting to observe how the bounds improve as we use designs with 
larger block size. Also, note that if there does not exist an 5(2, k, w), then we can 
take the smallest integer wo > w such that there does exist an 5(2, k,wo), and 
delete wo — w points from the Steiner system, thereby constructing a pairwise 
balanced design [2]. Then apply Theorem 1 or 2 to obtain a scheme where the 
information rate is computed by replacing w by wo in Table 1. 

4.3 Rank Three Access Structures 

We can apply the same techniques to access structures of rank three, using the 
following results concerning access structures on four participants, proved in 
[22, 17]. 

Theorem 7. 1. If T is a rank three access structure on four participants, then 
there is a P5(r, 2/3, q 2 ) and a P5(f, 4/5, q) for any prime power q > 4. 
2. If r is a uniform rank three access structure on four participants, then there 
is a PS(r, 1, q) for any prime power q > 4. 

Using the notation of Section 4.1, we can let x^3 = 2/3 and = 4/5. The 
relevant Steiner systems 5(3, 4, to) exist as follows: 
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Theorems. [12] There exists an S(3,4, w) if and only if w = 2,4 (mod 6). 

Application of Theorems 3 and 4 yield the bounds for access structures of 
rank three presented in Table 2. 



Table 2. Bounds on the Information Rate for Access Structures of Rank Three 



w 


lower bound an p or p 


number of keys 


w = 2,4. (mod6) 
w = 2,4 (mod 6) 
w = 2,4 (mod 6) 


P - (w-l)(w-J) 

— ^ n 

P - h{r*-\)(i»-l) 

P - f«-0(»-a) X T is uniform 


q 2 , where q > 4 is a prime power 
q, where q > 4 is a prime power 
5, where j > 4 is a prime power 



5 Applications Using Edge-colourings of Bipartite 
Graphs 

The following result was proved in [9] . 

Theorem 9. Suppose G is a graph, in which the maximum vertex degree is d. 
Then there exists a PS(G, l/(f j] + 1), q) for any prime power q > 2. 

Remark. For the case of odd d, an improved bound is given in [5]. 

Theorem 9 is proved by decomposing G into complete bipartite graphs i£i >m 
(called stars) in such a way that any vertex of G is in at most [|] + 1 of the 
stars. It has been shown in [8] that there is a PS{Ki tTn , 1, q) for any prime power 
q > 2. Hence, the result follows from Theorem 1. 

The star decomposition was obtained in [9] by first constructing an eulerian 
tour in a multigraph related to G. We will present an alternative proof of The- 
orem 9 which appears to be more easily generalizable. This proof makes use of 
a result concerning edge-colourings of bipartite graphs. 

For a graph G, denote the degree of a vertex z by da(z). Suppose I is an 
integer. An I— edge colouring of G is a function / : E[G) — » {1, . . . , 1}. f induces 
a partition E(G) = \j l i=1 Ei{G), where Ei(G) = / -1 (0i 1 < * < * (that is, Ei(G) 
consists of the edges of G receiving colour i). An I— edge colouring is said to be 
equitable if, for every vertex z € ^(G) and for every colour i (1 < i < I), the 
number of edges in Ei(G) incident with vertex x is either [d{x)/l\ or \d{x)fC\. 

The following theorem of de Werra [11] (see also [6, pp. 62-63]) is of use to 

us: 
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Theorem 10. If G is a bipartite graph, then there exists an equitable I— edge 
colouring of G for any positive integer I. 

Here now is an alternate proof of Theorem 9: 

Proof of Theorem 9. Construct a bipartite graph H with repartition (V(G), E(G)) 
having edge set 

E{H) = {xe:x£ V(G), e £ E(G), x £ e}. 

By Theorem 10, there is an equitable 2— edge colouring of H. Each vertex x £ 
V(G) has degree da(x) in S and each vertex e £ E(G) has degree 2 in H. 
Hence, every vertex e £ E(G) is incident with one edge of Ei(H) and every 
vertex x £ V{G) is incident with [d(x)j2\ or \d{x)/2\ edges of Ei(H). 

For every vertex x £ V(G), define a subgraph G x = {e £ E(G) : xe £ 
Ei(3)}. It is not difficult to see that {G x : x £ V(G)} forms the desired star 
decomposition. □ 

Let's consider how to generalize this result to uniform access structures of 
higher rank. As our "building blocks" we use a class of access structures that 
we call generalized stars. Let t > 2 and m > t — 1. Define a basis onm + t- 1 
participants as follows: 

P 0 '(t, m) = {{P u . . . , P £ _!, P ; } : i < j < m + t - 1}. 

(In the case £ = 2, Pq (£, m) consists of the edges of a star graph K^ m .) Define 
the centre of a generalized star to be the intersection of the basis subsets (i.e. 
{Pi, . . . , Pt-i} in the above example). Any access structure P*(t, m) is easily 
seen to be ideal. In fact, there exists a PS(P*(f, m), l,q) for any prime power 
q > t by a simple modification of a Shamir (t, t)— threshold scheme [19]. 

Now, suppose Jo is the basis of a uniform access structure of rank t. Construct 
a bipartite graph H as follows: The bipartition is (X, Y), where Y = Po an d 

X = {A : A C B £ P 0l \A\ = t - l}; 

and the edges in H are 

£(# ) = {AB : A € X, B £ V, A C B}. 

(In the case t = 2, the graph is the same as the one constructed earlier.) 

Note that every vertex A £ X has degree t in JT. Now, apply Theorem 10 to 
obtain an equitable t— edge colouring of H. For every vertex A £ X, define 

r A = {B € y :AB £ -Ei(-ff)}. 

Then each P A is a P 0 *(£, m) where m = [djj(A)/t] or m = [d H (A)/t\. {r A : A £ 
X} is a decomposition of Po, and for every A £ X, there is a PS(P.x, ^,<l) for 
any prime power q > t. 
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It remains to compute bounds on the Ri's. Define di (the degree of Pi) to be 
the number of t— subsets in fo which contain Pi. Then 



Now, Pj is in the centre of \{A € X : P; € 4}| of the JYs. Since we used an 
equitable colouring to construct the Fa 'a, this accounts for at least 



dn(A) 



of the di i-subsets in T 0 that contain Pi. Hence, the number of JU's that contain 
Pi is at most 



<|{A6X:Pi6^}|+ £ M 

= ^^\{AGX:P l eA}\ 



(d H {A) d a {A)-t+l 
1 t 



It is easy to see that 



hence, 



\{AeX:P.eA}\<^:^ 



Ri > 



for 1 < i < vi. 

Now p is just the minimum of the R+'a. To compute a bound on p, we use 
the remark following Theorem 2. We calculate: 



_ u> 

wt 

~ ELi ((2*-i)cr:, 1 ) + *) 

Summarizing, we have the following generalisation of Theorem 9: 
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Theorem 11. Let r be a uniform access structure of rank t on w participants, 
and denote by d the maximum degree of any participant. Then there exists a 

P5(r - (^)h)+f q) * nd a ps{r ' ^-ifei^i '^ for any ?rime pov,er 

q>t. 

Asymptotically, the bound on p represents an improvement by a factor of t 
to the rate that would be obtained from the Benaloh-Leichter construction [1] 
using a disjunctive normal form boolean circuit. 

Finally, note that if T is a non-uniform access structure of rank i, we can 
first partition the basis as Jo = U^jfi, where each A is uniform of rank i, and 
then apply the techniques of this section to each IV 
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Universally Ideal Secret Sharing Schemes 
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"I weep for you," the Walrus said, "0 Oysters," said the Carpenter. 

"I deeply sympathize." "You've had a pleasant run! 

With sobs and tears he sorted out Shall we be trotting home again?" 

Those of the largest size, But answer came there none - 

Holding Ins pocket-handkerchief And this scarcely odd, because 

Before his streaming eyes. They'd eaten every one. 
from "Through the looking Glass" by Lewis Caroll 



Abstract. Given a set of parties {l,...,n}, an access structure is a 
monotone collection of subsets of the parties. For a certain domain of 
secrets, a secret sharing scheme for an access structure is a method for 
a dealer to distribute shares to the parties, such that only subsets in the 
access structure can reconstruct the secret. 

A secret sharing scheme is ideal if the domains of the shares are the 
same as the domain of the secrets. An access structure is universally 
ideal if there is an ideal secret sharing scheme for it over every finite 
domain of secrets. An obvious necessary condition for an access struc- 
ture to be universally ideal is to be ideal over the binary and ternary 
domains of secrets. In this work, we prove that this condition is also suf- 
ficient. In addition, we give an exact characterization for each of these 
two conditions, and show that each condition by itself is not sufficient 
for universally ideal access structures. 



1 Introduction 

A secret sharing scheme involves a dealer who has a secret, a finite set of n par- 
ties, and a collection A of subsets of the parties called the access structure. A 
secret-sharing scheme for A is a method by which the dealer distributes shares 
to the parties such that any subset in A can reconstruct the secret from its 
shares, and any subset not in A cannot reveal any partial information about 
the secret (in the information theoretic sense). A secret sharing scheme can only 
exist for monotone access structures, i.e. if a subset .4 can reconstruct the se- 
cret, then every superset of A can also reconstruct the secret. If the subsets that 
can reconstruct the secret are all the sets whose cardinality is at least a certain 
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threshold t, then the scheme is called t out of n threshold secret sharing scheme. 
Threshold secret sharing schemes were first introduced by Blakley [Bla79] and 
by Shamir [Sha79]. Secret sharing schemes for general access structures were 
first defined by Ito, Saito and Nishizeki in [ISN87]. Given any monotone access 
structure, they show how to realize a secret sharing scheme for the access struc- 
ture. Benaloh and Leichter [BLS8] describe a more efficient way to realize such 
secret sharing schemes. 

Even with the more efficient scheme of [BL8S], most access structures require 
shares of exponential size: F,ven if the domain of the secret is binary, the shares 
are strings of length 2 & ( n] , where n is the number of participants. The ques- 
tion of lower bounds on the size of shares for some (explicit or random) access 
structures is still open. On the other hand, certain access structures give rise to 
very economical secret sharing schemes. A secret sharing scheme is called ideal 
if the shares are taken from the same domain as the secrets. An access structure 
is called m— ideal if there is an ideal secret sharing scheme which realizes the 
access structure over a domain of secrets of size m. 

Brickell [BriSD] was the first to introduce the notion of m— ideal access struc- 
tures. Brickell and Davenport [BD91] have shown that such structures are closely 
related to matroids over a set containing the participants plus the dealer. They 
give a necessary condition for an access structure to be m— ideal (being a ma- 
troid) and a somewhat stronger sufficient condition (the matroid should be rep- 
reseutable over a field or algebra of size m). Certain access structures, such as 
the threshold ones, are m— ideal for m that is at least n. However, for domains 
of secrets which contain m elements where m is smaller then n, the threshold 
access structures are not m— ideal (for threshold t such that 2 < t < n — 1), 
as proved by Karnin, Greene and Hellman [KG 1183]. This qualitative result was 
improved by Kilian and Nisan [KN90], who showed that the t out of n threshold 
secret sharing scheme over a binary domain of secrets requires shares from a 
domain that is at least of size n — t + 2 (for 2 < t < n — 1). 

We say that an access structure is universally ideal if for every positive integer 
w, it is m— ideal. Universally ideal access structures are particularly convenient 
to work with because they are very efficient no matter what the domain of 
secrets is. A simple example of a universally ideal access structure is the n out 
of n threshold access structure. In this work we give a complete characterization 
of universally ideal access structures. Our work builds upon results of Brickell 
and Davenport which relate ideal access structures to matroids, as well as some 
known results from matroid theory. An obvious necessary condition for an access 
structure to be universally ideal is to be both 2— ideal and 3— ideal. Interestingly, 
our main result states that this condition is also sufficient. We give examples 
which demonstrate that just one of these two requirements is not a sufficient 
condition to be universally ideal. 

The remaining of this paper is organized as following. In section 2 we give for- 
mal definitions and quote the results of Brickell and Davenport. Section 3 states 
our main theorem, and details its proof. Section 4 illustrates some clarifying 
exam pies. 
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2 Definitions and Related Results 

This section contains formal definitions and known related results, that will be 
used in the rest of this paper. 

2.1 Secret Sharing Schemes 

The definition of secret sharing schemes is based on [CK89]. 

Definition 1. Let 5 = {0, m — 1 } be a finite sec of secrets. Let A C 2^' 

be a monotone set (such that 0 £ A ) called the access structure. We say that a 
secret-sharing scheme IJ realizes an access structure A with domain of secrets 
S if 77 is a mapping 77 : 5 x R — + S\ x5 2 x...xS„ from the cross product 
of secrets and a set of random inputs to a set of »-tuples (the shares) such that 
the following two requirements hold: 

1. The secret s can be reconstructed by any subset in ^4 . That is, for any subset 
A £ A (A = { i'i , . . . , } ), there exists a function h A : Si 1 x . . . x — *• S 
such that for every random inputs ?■ it holds that if 77(-s, r) = {si , so, ■ ■ ■ , s n } 
then /i,t({s,} ie ^) = s. 

2. Every subset not in A can not reveal any partial information about the 
secret (in the information theoretic sense). Formally, for any subset A £ A , 
for every two secrets a, b £ S, and for every possible shares {s;} <eA : 

t* r 

We denote the shares of party i by 77,(5, r). 

Given a collection r C 2^ 1 '- the closure of f, denoted by cl(T), is the 
minimum collection that contains F and is monotone (if B £ cl(f) and B C C 
then C £ cl(r)). Given an access structure ^4 , we denote A m to be the collection 
of minimal sets of A , that is B £ A m if B € A and for every C £ B it holds 
that C £ A . If A = {.4 : |.4| > /.}, then a secret sharing for A is called a i out 
of n threshold secret sharing scheme, and the access structure A is called the t 
out of n threshold access structure. 

Definition 2. A secret sharing scheme 77 : S x 7? — *■ Si x . . . x 5„ is m— ideal 
if \Si | = |5*2 1 = . . . = |5„| = \S\ = m, that is the domain of the shares of each 
party has the same size as the domain of the secrets, and this domain contains 
m elements. An access structure A is m— ideal if there exists a m— ideal secret 
sharing scheme that realizes A . An access structure .4 is universally ideal it for 
every positive integer m the access structure A is m— ideal. 
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2.2 Matroitls 

Before we continue, we recall the definition of raatroids . Matroids are well 
studied combinatorial objects (see for example Welsh [Wel76] ). A matroidis an 
axiomatic abstraction of linear independence. We give here one of the equivalent 
axiom systems that define matroids. A matroid T = (V,l) is a finite set V and 
a collection 1 of subsets of V such that (II) through (13) are satisfied. 



(11) 0ei. 

(12) If X € I and Y C X then Y £ I. 

(13) If X,Y are members of I with |A'| 
that Y U {x} 6 I. 



= |V'| + 1 there exists x € X\Y such 



For example every finite vector space is a matroid, in which V is the set of 
vectors and X is the collection of the independent sets of vectors. The elements 
of V are called the points of the matroid and the sets in 1 are called independent 
sets. A dependent set of a matroid is any subset of V that is not independent. The 
minimal dependent sets are called circuits. A matroid is said to be connected if for 
any two elements in V, there is a circuit containing both of them. The maximal 
independent sets are called bases. In every matroid, all bases have the same 
cardinality, which is defined as the rank of a matroid. A matroid is representable 
over a field T if there exists a dependence preserving mapping from the points 
of the matroid into the set of vectors of a vector space over the field. In other 
words, there exist k and a mapping <p : V — * T k that satisfies: 

A C V is a dependent set of the matroid iff <p(A) is linearly dependent. 

2.3 Relation between Secret Sharing Schemes and Matroids 

The next definition relates access structures and matroids. 

Definition 3. Let A be an access structure with n parties {l,...,n} and let 
T = (V, I) be a connected matroid. We say that the matroid T is appropriate 
for the access structure A if V — {0, . . . , n} and 

A = d({C \ {0} : 0 e C and C is a minimal dependent set of T}) 

That is, the minimal sets of the access structure A correspond to the minimal 
dependent sets in the matroid which contain 0. Intuitively, 0 is added to the set 
{1, . . . , n] to "play the role" of the dealer. 

There are various properties which the collection of minimal dependent sets 
in a matroid must satisfy, and these properties do not necessarily hold for an 
arbitrary access structure. Not every access structure has an appropriate ma- 
troid. But if a connected matroid is appropriate for an access structure, then 
it is the only matroid with this property (see [Wel76], Theorem 5.4.1). Brickell 
and Davenport [BD91] have found relations between the two notions when A is 
an ideal access structure. The next two theorems almost characterize m— ideal 
access structures. 
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Theorem 4 (necessary condition) [BD91]. If a non- degenerate access struc- 
ture A is m— ideal for some positive integer m, then there exists a connected 
matroid T that is appropriate for A . 

Theorem5 (sufficient condition) [BD91]. 3 Let q be a prime power, and A 
be a non-degenerate access structure. Suppose that there is a connected matroid 
T that is appropriate for A . IfT is representable over the field GF(ij), then A 
is q— ideal. 

3 The Characterization Theorem 

The two theorems of Brickell and Davenport almost characterize q— ideal access 
structures for g a prime power. However, If there is a connected matroid T 
that is appropriate for A but is not represeniable over the field GF(g), then 
the theorems do not determine whether or not A is q— ideal. While we do not 
close the remaining gap for q— ideal access structures, we do give a complete 
characterization for universally ideal ones. We recall that an access structure A 
is universally ideal if it is q— ideal for any finite domain of secrets. Our main 
result is: 

Theorem 6. The access structure A ts universally ideal if and only if A is 
binary-ideal (2-ideal) and ternary- ideal (3-ideal). 

The proof of the theorem proceeds along the following lines: We strengthen 
Theorem 4 of Brickell and Davenport for the binary and ternary domains of 
secrets. We show that over these domains, every reconstruction function can be 
expressed as a linear combination of the shares of the parties. This enables us to 
show that if an access structure A is binary ideal, then there is a matroid T that 
is appropriate for A and is representable over the binary field. The same result 
is proved for the ternary field. Then, using a known result from matroid theory, 
we conclude that if an access structure .4 is binary and ternary ideal, then there 
is a matroid T appropriate for A which is representable over any field. Thus, 
by Theorem 5 of Brickell and Davenport, the access structure is q— ideal for any 
prime power q. Using the Chinese remainder Theorem, A is m— ideal over any 
finite domain, namely is universally ideal, as desired. 

Definition?. Let 77 be a secret sharing scheme for n parties {l,...,n}, and 
the dealer which we denote by 0. The secret will be considered as the share of 
party 0 - the dealer. Let ,4 C {0, . . . , n} and t € {0, . . ., n}. The parties in A 
cannot reveal any information about the share of i if for every distribution on 
the secrets, every possible shares {s a } aeA , and every possible shares s,-,s- 

Pr[ 77,(5, r) = 8i | {s a } ajM ] = Pr[ 77,(s, r) = s' { \ {s a }„ eA ] 
We also say that i is independent of .4 with respect to 77. 

3 The Theorem in [BD91] had a slightly weaker condition, which we omit for simplicity. 



188 



Definition 1 implies that if A C {1 n} and A g A , then in every secret 

sharing scheme realizing A the secret (i.e. the share of the dealer) is independent 
of the shares of the parties in A. 

Definition8. Let 77 be a secret sharing scheme. We say that a subset A C 
{0,1,..., n] is dependent with respect to II if there exists an i € A such that 
the parties in A\ {i} can reconstruct the share of i (in the sense of definition 1). 
A subset jIC {0, . . n} is independent if for every t £ A, i is independent of 
A \ {i} with respect to II. 

Notice that the notions of dependent and independent set with respect to a 
given secret sharing schemes are not complementary. There could be a subset A 
of parties which could neither reconstruct the share of any of its members (and 
thus A in not dependent), yet could reveal some information on the share of one 
of its members (and thus A is not independent). However, for ideal secret sharing 
scheme, the following theorem of Brickell and Davenport [BD91] establishes the 
desired relation between the two notions. 

Theorem 9 [BD91]. let II be an ideal secret sharing scheme realizing a non- 
degenerate access structure A with n parties {l,...,n} over some domain of 
secrets S. Lei A C {0, . . . , n) . Then 

1. The subset A is either dependent or independent with respect to II. 
%. The subset A is independent with respect to II if and only if A is an inde- 
pendent set in a matroid T which is appropriate for A . 

Definition 10. Let q be a prime power, and 77 a q— ideal secret sharing scheme. 
We say that II is linear if for every set that is dependent with respect to II, 
the reconstruction function is linear. That is, for every A C {0, . . . , n) and every 
0 < i < n such that * £ A and i depends on A with respect to 77, there are 
constants {oj}^^, (all in GF($)) such that for every secret s £ GF(g) and 
choice of random inputs r £ .ft 

77,(«, r) = a + ]T aj 77, (s, r) 

where the sura is mod q. 

We remark that the secret sharing scheme of Shamir [Sha79] is linear. The 
secret (or any other share) is reconstructed from the shares by substitution in 
the interpolating polynomial. The sufficient condition of Brickell and Davenport 
[BD91] (theorem 5) states that if an access structure A has an appropriate 
matroid which is representable over GF(g), then A is q— ideal. Their scheme, 
using our terminology, is a linear q— ideal secret sharing scheme. Our next lemma 
states the reverse direction. 

Lemma 11. If an access structure A has a linear q— ideal secret sharing scheme, 
then A has an appropriate matroid which is representable over GF(q). 
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Proof (sketch). By Theorem 4 there is a matroid which is appropriate for A . 
Let II be a linear (/—ideal secret sharing scheme for the access structure A . 
Using II , we will construct a dependence preserving mapping <j> from the set of 
points of the matroid, {0, . . . , n), into a vector space over GF(q). 

The mapping <f> will be constructed in two stages. In the first stage we will 
map V - {0,...,?i} to GF(g) ?x ! fi ', where R is the source of randomness used 
in TI . For every a £ V we define 

<t>i(a) - ( /7 a (s 1 ,r 1 ),i7 a (si,r 2 ),...,iI a (s, ) T , |fl|) ) 

intuitively 4>\{a) describes the shares of party a with every secret and every 
random input. In the second stage we construct a mapping 4>i which fixes some 
remaining technicalities. We leave the details to the final version of this paper. 
These two mappings 4>i and <bn have the property that .4 C V is dependent in 
T if and only if 4>2 o <f>i(A) is linearly dependent in GF(</)'. Thus <j> — 4>i o <j>\ is 
a dependence preserving mapping, and by definition the appropriate matroid T 
is representable over GF(</). □ 

Definition 12. We say that a function / : 5' — - S is component sensitive if for 
every 1 < i < t, every s 1; s^j, s i; Si +1 , s, 6 S (s| / s,-): 

f(.Si, . .., Si, S t + i, . . .,S t ) £ /(ii, . . . , S,-_i. S', s,- + i, . . ., s t ). 

In other words, everv change of the value of one variable of /, changes the value 
of/. 

Lemma 13. Let TI be a '[—ideal secret sharing scheme. Lei i £ {0, . . . , »}, and 
A C {(),...,»} be a minimal subset such that i depends on A and i £ A. Let 
f : S'* 4 ' — ► S be the reconstruction junction of the i — th share from the shares of 
the parties in A. Then f is component sensitive. 

Proof. Omitted from this preliminary version. 

We now show that the only component sensitive functions for the binary and 
for the ternary domains are linear. We start with the binary case. 

Lemma 14. Let f : GF(2) ( — GF(2) be a component sensitive function. Then 
f can be expressed as a linear function with non-zero coefficients over GF(2); 

r 

f(xi, . . . , x t ) = a + a > £ i ( Q > 0 for all i). 
1 = 1 

Proof. Omitted from this preliminary version. 

We use Lemma 14 to give an exact characterization of binary-ideal access 
structures. 

Corollary 15. An access structure A is binary-ideal if and only if there is a 
matroid which is representable over GF(2) and is appropriate for A . 
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Proof. Let 77 be a binary-ideal secret sharing scheme that realizes the access 
structure A . By lemma 13 the reconstruction function of every dependent set 
is component sensitive. Therefore by lemma 14 every reconstruction function is 
linear over GF(2), or in other words iJ is a linear scheme. By lemma 11, We 
conclude that if A is binary-ideal then A has an appropriate matroid that 
is representable over GF(2). The other direction is implied by the sufficient 
condition of Brickell and Davenport [BD91] (theorem 5). □ 

The next lemma paralles Lemma 14, this time for the ternary case. 

Lemma 16. Let f : GF(3)' — <■ GF(3) be a component stnsitivt function. Then 
f can be expressed as a linear function with non-zero coefficients over GF(3).' 

t 

f(xi , . . . , x t ) = a + ^T] ctiXi (a t # 0 for all i). 
i=l 

Proof (sketch). The proof relies on the observation that any partial assignment 
to the variables of a component sensitive function results in a new component 
sensitive function (of the remaining variables). In addition, a component sensitive 
function of one variable is a permutation of its domain. 

For any finite field GT(q), any function which maps GF(q)* into CF(<?) can be 
expressed as a multivariate polynomial over the field, in which every monomial 
of / contains variables whose powers do not exceed q — 1 (since x q = x). In our 
case the power will not exceed 2. 

We first show that no term in the polynomial / contains a variable of degree 
2. Suppose, without loss of generality, that x\ appears in some monomial. The 
polynomial / will have the form: 

x\ ■ P L (X 2 , ...,X n ) + Xl •Pl-I-Co, . ■ .,X n ) + p 3 (X2, ■ ■ ■ , X n ) 

where the polynomial pi is not identically zero, and po,P3 are arbitary poly- 
nomials. Hence there exists a substitution to the variables X2, ■ ■ ■ , x n such that 
the value of pi after the substitution is not zero. This substitution to / yeilds a 
polynomial in X[, of the form axf + bxi +c. The coefficient of X\, a, is non-zero. 
By the observation mentioned above, the resulting function of x\ should also be 
component sensitive. It is not hard to check that any degree 2 polynomial over 
GF(3) is not a permutation 4 , and therefore is not component sensitive. Thus / 
contains no variable of degree 2, so all its monomials are multilinear. 

We still have to show that / contains no monomial with two variables. We 
leave the details to the final version of the paper. □ 

We remark that GF(3) is the largest field where every component sensitive 
function is linear. Already for GF(4), there are 4! = 24 component sensitive 
functions of one variable (permutations), but only 3 4 = 12 non-constant linear 

* Every polynomial of the form a ■ xi + b where a ^ 0 is a permutation. There are 6 
such polynomials and there are 6 permutations over GF(3), therefore every degree 2 
polynomial cannot be a permutation. 
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functions. Now using the same arguments as in the proof of Corollary 15 (for 
the binary case), we conclude with the following charcterization of ternary-ideal 
access structures. 

Corollax-y 17. An access structure A is ternary- ideal, if and only if there is a 
matroid which is representable over GF(3) and is appropriate for A ■ 

We saw that representation over GF(2) determines if an access structure is 
binary-ideal, and representation over GF(3) determines if an access structure is 
ternary-ideal. Therefore, if an access structure is both binary-ideal and ternary- 
ideal, then it has an appropriate matroid that is representable over GF(2) and 
over GF(3). The next proposition from [Wei 76] states strong implications of the 
representatability over the two finite fields. It will be used to complete the proof 
of our main theorem. 

Propositioul8. .4 matroid T is representable over GF(2) and over GF(3) if 
and only if T is representable over any field. 

Using this proposition we get: 

Corollary 19. // an access structure A is binary-ideal and ternary-ideal then 
for every q such that q is a prime power, A is q — ideal. 

Proof. If an access structure A is binary-ideal and ternary-ideal, then by corol- 
laries 15 and 17 the access structure A lias an appropriate matroid T that 
is representable over GF(2) and over GF(3) (remember that there can be only 
one appropriate matroid for A ). Hence proposition 18 implies that 1 is repre- 
sentable over any field. From Theorem 4 we conclude that the access structure 
A is ideal over any finite field, i.e. A is q— ideal for every prime-power q. □ 

Corollary 20. If an access structure A is binary-ideal and ternary-ideal then 
for every positive integer m, the access structure A is m— ideal. 

Proof. Let S be a finite domain of secrets of size m. Let m = p\ l ■ p'£ . . . ■ 
p\' where pj are distinct primes. Given a secret s £ S for every 1 < j < t, 
independently, we use the ideal secret sharing scheme to share s mod p^ 1 . Every 
subset of parties A £ A can reconstruct s mod p'j' . therefore using the Chinese 
remainder Theorem, they can reconstruct the secret. Since for each j the secret 
s mod p- } is shared independently, then every subset A £ A does not know 
anything about the secret s. □ 

This last corollary is a restatement of Theorem 6, and it completes the argu- 
ments in the proof of our main result. 

4 Examples 

In this section we formulate several known constructions from matroid theory 
as ideal access structures. Our first two examples show that the rondition of 
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Theorem 6 cannot be relaxed: Being either just 2— ideal or just 3— ideal is not 
sufficient for being universally ideal. Then, we demonstrate how graphic and 
cographic matroids give rise to interesting classes of universally ideal access 
schemes. 

Example 1 (the 2 out of 3 access structure) . We recall that the 2 out of 3 ac- 
cess structure is the access structure with 3 parties in which every two parties 
together can reconstruct the secret, and every party by itself does not know 
anything about the secret. The appropriate matroid for this access structure is 
the matroid with V - {0, 1,2,3} and 1 = {A : \A\ < 2}. It is not difficult to 
verify that this matroid is not representable over GF(2), hence the 2 out of 3 
access structure is not 2-ideal. But this access structure is 3-ideal, as the follow- 
ing scheme demonstrates: 

Let s G {0, 1,2} be the secret.. The dealer chooses at random a number r 6 
{0, 1,2}. the share of party 1 is r, the share of party 2 is r + s, and the share 
of party 3 is r + 2s. This access structure demonstrates that being 3— ideal does 
not suffice to guarantee that an access scheme is universally ideal. 

Exa)»ple2. Consider the following access structure T (see Fig. 1). The set of 
parties is {1,2,3,4,5,6}. The Access structure is the closure of the set 

T m = {{1,4}, {2, 3} , {3, 6} , {1 , 2, 6} , {1, 3, 5} , {2, 3, 4} , {4, 5, 6}} . 

The matroid that is appropriate for this access structure is the Fano matroid 
[\Vel76], which is representable only over fields of characteristic 2. Hence T is 
2-ideal, and is not 3— ideal. The 2— ideal secret sharing scheme for T uses two 
random bits r Q ,ri which are chosen independently with uniform distribution. 
The scheme is described in Fig. 2. This access structure demonstrates that being 
2— ideal does not suffice to guarantee that an access scheme is universally ideal. 



1 2 3 




4 5 6 



Fig. 1. The minimal sets of the access structure T 



The access structure T' ~ c\{T m U {3, 4,5}) has a appropriate matroid that 
is representable over GF(3) but not over GF(2) [Wel76]. Actually, the 3-ideal 
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r,+ s 



r 0 +ri+ s 



Fig. 2. An ideal scheme for F with secret s and random independent inputs tq,ti. 

secret sharing scheme for T' is the same as the binary scheme for T , except 
here ro.ri are chosen uniformly and independently from {0,1,2}. Notice that 
the parties {3,4,5} can reconstruct 2s over the two fields, which is useless over 
GF(2), but enables to reconstruct the secret over GF(3). This access structure 
demonstrates again that being 3 — ideal does not suffice to guarantee that an 
access scheme is universally ideal. 

Example 3. Here we give a method for combining two ideal access structures for 
n and £ parties into a new ideal access structure for n + (—l parties. Let A be a 
non-degenerate access structure with parties {1, .... n}, and let A i be an access 
structure with parties + 1, . . .,n+ C } . We denote by A ' — A (i,A i) the 
access structure with n + C — 1 parties { 1, . . . ,i — 1, i + \ , . . . , n, n + 1, . . . , n + £} , 
and reconstructing sets 



That is, the sets that can reconstruct the secret in the new access structure are: 

— The sets from A that do not contain party i. 

— The sets from A that do contain party t, in which we replace the party i 
with each set of A i . 

Let A be a non-degenerate access structure, let t be a party in A , and let 
A i be an access structure. We will show that if A and A i are universally 
ideal then A ' — A (i,A i) is universally ideal, by describing (for every m) an 
m— ideal secret sharing scheme for A ' . Given a secret s use an m— ideal scheme 
to generate shares for the parties in .4 . Let a be the random variable that 
denotes the share of party i in the scheme for A . Now use an m— ideal scheme 
for A i with secret a to generate shares for the parties in A i . 

It is easy to see that the 1 out of 2 threshold access structure is universally 
ideal (give the secret to the two parties). The 2 out of 2 threshold access structure 
is also universally ideal (give the first party a random input r, and to the second 
party s + r mod m). Using these two access structures as building blocks, and 
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using the above construction recursively, we get a class of universally ideal access 
structures. The resulting class of access structures is a special case of access 
structures whose appropriate matroids is graphic, a class which we discuss next. 

Example 4. Let G = (V, E) be an undirected graph. The cycles of G (as defined 
in graph theory) are the minimal dependent sets of a matroid T(G) on the edge 
set E. In other words, the sets of points of the matroid T(G) is the set of edges 
of G, and A C E is an independent set of T(G) if A does not contain cycles, 
i.e. A is a forest in G. A matroid T is graphic if there exists some graph G 
such that 7 is isomorphic to the cycle matroid T(G). Every graphic matroid is 
representable over any field [Wel76]. Therefore if an access structure A has a 
graphic appropriate matroid, then A is universally ideal. To be more precise, 
let G = (V,E) where V = {0, 1, . . ., n], E C V x V, and e 0 = (0, 1) G E be a 
special edge which corresponds to the dealer. Let 

A (G) = cl({C \ {eo} : C C E is a minimal cycle that contains e 0 }) 

Then A {G) is universally ideal. The scheme II for graphic matroids is actu- 
ally quite simple. Let r =< r 1( r 2 , . . .,r\y\-i > be the random input (|V| — 1 
independent values). Then for every (i, j) € E (i < j) 



For every simple path which starts at node 1, and ends at node 0, it is possible 
to assign ±1 weights to the shares along the path, such that the weighted sum 
is equel to the secret s. This scheme was found previously (not in the context of 
graphic matroids) by Benaloh and Rudich [BR89j. 

We demonstrate this construction on a specific graph Go, shown in Fig. 3. 
The cycles in the graph are: 



and these sets are the minimal dependent sets of T(Gq). The access structure 
A (Go) is the closure of {{e2>C3} , {eii ^2, 64}}. The dealer is the edge eo. The 
shares of the parties c 2 and ^3 are ri — r 2 and ri + e — r 2 respectably and they 
can reconstruct the secret by substructing their shares. 

Example 5. Let G = (V", E) be an undirected graph. A cut in G is a collection 
of edges such that deleting them from G, increases the number of connected 
components in the remaining graph. The cuts of G are the minimal dependent 
sets of a matroid 7"*(G) on the edge set E. A matroid T is cographic if there 
exists some graph G such that T is isomorphic to the cut matroid T*(G). Every 
cographic matroid is representable over any field [Wel76]. Therefore if an access 
structure A has a cographic appropriate matroid, then A is universally ideal. 
To be more precise, let G = (V, E) where V = {0, 1, . . . , ri), E C V x V, and 
eo = (0, 1) € E be a special edge which coresponds to the dealer. Let 




{eo,e2,e 3 } , {eo,ei,e 2 ,e4} , {e1.e3.e4} , 



A *(G) = cl({C \ {eo} : C C E is a minimal cut that contains e 0 }) 
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2 




0 



Fig. 3. The graph G a . 

Then A *(G) is universally ideal. We again demonstrate this example on the 
graph Gq shown in Fig. 3. The cuts of Go are 

{eo, e 1; e 3 } , {c 0 , eo} , {eo, £3, e 4 ] ■ {ei,e 2 , e 3 ] , {e x , e 4 } , {e 2 , e 3 ,e 4 } , 
and these are the minimal dependent sets of the matroid T*(Go). 
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Abstract. "Zero-knowledge arguments" is a fundamental cryptographic 
primitive which allows one polynomial-time player to convince another 
polynomial-time player of the validity of an NP statement, without re- 
vealing any additional information in the information-theoretic sense. 
Despite their practical and theoretical importance, it was only known 
how to implement zero-knowledge arguments based on specific algebraic 
assumptions; basing them on a general complexity assumption was open 
since their introduction in 1986 [BCC, BC, CH]. In this paper, we fi- 
nally show a general construction, which can be based on any one-way 
permutation. 

We stress that our scheme is efficient both players can execute only 
polynomial-time programs during the protocol. Moreover, the security 
achieved is on-line: in order to cheat and validate a false theorem, the 
prover must break a cryptographic assumption on-line during the con- 
versation, while the verifier can not find (ever!) any information uncon- 
ditionally (in the information theoretic sense). 
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1 Introduction 

Reducing complexity assumptions for basic cryptographic primitives is a ma- 
jor current research program in cryptography. Characterizing the necessary and 
sufficient complexity conditions needed for primitives helps us develop the the- 
oretical foundations of cryptography, and further, reducing requirements for a 
primitive may imply more concrete underlying functions for its practical imple- 
mentations. 

Here we study the problem of secure transfer of the proof of "validity of an 
NP assertion" in this perspective. We note that the ability to convey proofs for 
NP in a secure way (i.e., in zero-knowledge (ZK) fashion, as defined by [GMR]) 
has a large variety of applications in cryptography and distributed computing. 

Informally, proving some fact in zero-knowledge is a way for one player (called 
"prover") to convince another player (called "verifier") that certain fact is true, 
while not revealing any additional information. In our setting, we assume that 
both players are polynomially bounded (thus NP proofs where the prover has 
a witness, are the natural setting). We must make complexity assumptions for 
implementing the above task since in our setting these protocols imply existence 
of a one-way function. The assumptions could be used in two different ways: 

1. Zero- knowledge proofs [GMR, GMW]: The prover can not convince the veri- 
fier to accept a false theorem, even if he gets help from an infinitely powerful 
computation; while the verifier (or anyone overhearing the protocol), if he 
ever breaks the assumption (say, after 100 years), can extract additional 
information about the proof (thus, the security is only ensured computa- 
tionally) . 

2. Zero-knowledge arguments [CH, BC, BCC]: The verifier can not extract ad- 
ditional information even if he is given infinite time ( i.e., security is perfect); 
however, the prover (assumed to be polynomial-time) can cheat in his proof 
only if he manages to break the assumption on-line during the execution 
of the protocol. This is the reason to call it an "argument" rather than a 
"proof. 

In many practical settings, ZK-arguments may be preferable to ZK- proofs: 
the verifier must only be sure that the prover did not break the assumption 
during their interaction (which lasted, say, ten seconds or minutes). Notice that 
while assuring that the assumption can never be broken is unreasonable, the 
assumption that something can not be broken during the next ten minutes can 
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be based on the current state of the art. On the other hand, the prover has 
absolute (i.e. information-theoretic) guarantee that no additional information is 
released, even if the verifier spends as much time as it desires trying (off-line) 
to extract it. (Thus, the notion of zero-knowledge arguments is useful if there is 
a need to maintain the secrecy for very long time independent of the possible 
future advance of cryptanalysis). 

So far the complexity, assumptions needed for perfect-zero-knowledge argu- 
ments were too strong — they required specific algebraic assumptions. This is in 
contrast with zero-knowledge interactive proofs, which can be based on any one- 
way function. In this work we finally dispose of specific algebraic assumptions 
for zero-knowledge arguments: 

Main result: If one-way permutations exist, then it is possible for polynomial-time 
players to perform a perfect zero-knowledge arguments for all of XV 

In our proof, we construct an information-theoretically secure bit-commitment 
scheme, which has additional applications like information-theoretically secure 
coin-flipping. We can implement the scheme (with almost-perfect security) based 
on fc-regular one-way functions. One practical implication of our result is that 
secure arguments can now be based on functions which are DES-like ciphers. 

1.1 Background and organization 

Past successes in establishing basic cryptographic primitives on general assump- 
tions (initiated in [Y82]) have shown that various primitives, which were orig- 
inally based on specific algebraic functions, can be based on the existence of 
general one-way functions or permutations. For example, Naor [N] showed that 
computationally secure bit commitments (i.e., bit commitments which can be 
broken off-line given sufficient resources) can be constructed from a pseudo- 
random generators (a notion originated and first implemented based on a dis- 
crete logarithm assumption in [BM]). The later, in turn (after a long sequence 
of papers) can now be based on any one-way function [ILL, H]. Another primi- 
tive that can now be based on any one-way function as well is digital-signature 
[NY, Ro]. Furthermore these primitives (and primitives derived from them, e.g. 
identification) were shown to imply a one-way function (thus they are equivalent) 
[IL]. On the other hand, basing the primitive of oblivious transfer on a general 
one-way permutation which is not a trapdoor 5 was shown to be "a seemingly 

5 a trapdoor implies that there is an information which enables easy inversion 
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hard task" [IR] - when based on black box reductions, it will separate P and 
NP (on the positive side, a trapdoor permutation is sufficient). 

Concerning secure proofs, Goldreich, Micali and Wigderson showed that zero- 
knowledge proofs for J\fV can be done and require secure encryption functions 
(the results of [N, ILL, H] give such functions under any one-way function); this 
applies to general TP proofs as well [IY]. Further, zero-knowledge proofs and 
zero-knowledge arguments for non-trivial languages as well as non-interactive 
zero-knowledge proofs of [BFM, BDMP] imply the existence of one-way functions 
[OW]. 

In contrast to computational zero-knowledge proofs, the primitive of perfect 
zero-knowledge arguments for NP was much inferior in this respect: their con- 
structions were known only under specific algebraic assumptions [BCC, BKK, 
IY, BY, IN]. Our result gives the first general reduction: zero-knowledge NP- 
arguments can be constructed given any one-way permutation. 

Our construction has two stages. First, we show how to design an information- 
theoretically secure bit commitment between two polynomial-time parties based 
on any one-way permutation (we employ a technique thatean be called "interactive- 
hashing" introduced initially in a different model involving an all-powerful party 
[OVY1]). Moreover, we do it in such a way that the conversations in the commit- 
ment protocol are simulatable (i.e. by an expected polynomial time algorithm). 
Then, we apply the reduction of "perfectly-secure simulatable bit commitment" 
to "perfect ZK-argument". (A general scheme connecting various commitments 
to various ZK-systems was given in e.g. [IY] and can be used). 

We note that this work differs from [OVY1] in that there the sender must 
be able to invert one-way functions, whereas here the sender is efficient (this is 
the traditional cryptographic model). In [OVY1] we deal with oblivious transfer 
and any technique succeeding in allowing a weak sender there, would be quite 
significant since it would implement oblivious transfer between polynomial time 
parties using one-way permutations (see [IR]). 

1.2 Relation to recent work on bit-commitment 

Recently, models in which parties may have power beyond polynomial-time were 
investigated; it is worth while pointing out the differences between the cur- 
rent work and the recent one. By "From Strong to Weak BC", we denote Bit- 
commitments (BC) protocols, in which even an infinitely-powerful " Commiter" 
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can not cheat, (i.e. change the value of the committed bit) except with negligi- 
ble probability, but the polynomial-time "Receiver" can "see" the commitment, 
if he breaks the assumption. The result of [N] imply that under any one-way 
function, there is a (Strong-to-Weak) BC from a polynomial-time Commiter to 
a polynomial-time Receiver (that is, it is an efficient protocol and the underlying 
assumption in this case is optimal [IL]). 

The work in [OVY2] investigated commitments between a strong and a 
polynomial-time players where the strong player actually uses its non-polynomial- 
time power. Thus, the main issue in that paper is how cryptographic assumptions 
changes and can be relaxed when the power of players differs (rather than be- 
ing polynomial-time for both players, as needed in practical applications). It is 
shown that unless Distributional-NP=RP there is a (Strong-to-Weak) BC from 
a Commiter with an (NP union co-NP) power to a polynomial-time Receiver. 
Similarly, unless Distributional-PSPACE=RP, there is a (Strong-to-Weak) BC 
from a (PSPACE) Commiter to a polynomial-time Receiver. Distributional-NP 
is defined by Levin in the theory of average-case NP, whereas Distributional- 
PSPACE is a complete (in Levin's sense) problem for PSPACE under a uniform 
distribution. Thus, when allowing the commiter to use non-polynomial power 
this theoretical result relaxes the assumptions in [N]. 

By "from Weak to Strong BC we denote BC in which even an infinitely- 
powerful "receiver" can not "see" the commitment, but the polynomial-time 
commiter can not change the value of the commitment if a complexity assump- 
tion holds. In [OVY2] it is also shown, based on an oblivious transfer protocols 
among unequal-power players introduced in [OVY1] (where interactive hashing 
was presented), that given any one-way function, there is a (Weak-to-Strong) BC 
from a polynomial-time Commiter to a (PSPACE) Receiver (and if the receiver 
is NP, the same holds under a one-way permutation). 

The main results in [OVY1] yield oblivious transfer under one-way func- 
tion when players have unequal power. The cryptographic application of [OVY1] 
(when both parties are polynomial time), is basing two-party secure computation 
with one party having information theoretic security under general trapdoor per- 
mutation assumption (whereas previously known under specific algebraic trap- 
door functions). This is done by applying the results for one-way permutation 
but by adding a trapdoor property to be useful in cryptographic scenarios (so 
that computations are in polynomial-time). 

In the current paper, we assume polynomial-time parties and do not use 
non-polynomial-time computations. We stress again that this is the model for 
cryptographic applications. Further, we make no use of trapdoor properties, as 
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BC's and secure interactive proofs do not need decryptions, but rather displaying 
of pre-images (for decommitals). Our result here for BC can be stated as: given 
any one-way permutation, there is an efficient (Weak-to-Strong) BC protocol 
from a polynomial-time Commiter to a polynomial-time Receiver (which may 
be stronger); the BC is simulatable and is a commitment of knowledge. 

1.3 Organization of the paper 

In section 2, we give the model, the formal definitions of the problem, and the 
assumptions. (Specifically, we present the model of interactive machines, the 
definitions of perfect zero-knowledge arguments, the notion of commitment, and 
the definition of one-way functions and permutations). In Section 3, we present 
the new method for basing a perfectly-secure bit commitment on a one-way 
permutation, and discuss its reduction to zero-knowledge arguments. In section 
4 we present additional applications of our methods. 

2 Model and Definitions 

Let Alice (the prover) and Bob (the verifier) be interacting Turing machine 
[GMR, B] which share an access to a security parameter n, and a common 
communication tapes. Each has a private input and output tapes and a private 
random tape. When Alice and .Soft's programs are both polynomial time, we say 
that the protocol is "efficient'' (we will assume this throughout), Alice usually 
has a private tape in which a "witness" to the correctness of the common input 
is written. We may consider Bob to be infinitely-powerful when he wishes to 
extract information from a protocol conversation, although he needs only poly 
time computations to execute the protocol. Both parties share an input tape of 
size A; and and two "communication tapes" : tapes for Alice to write in and Bob 
to read and vice versa. Bob has a private history tape h. 

2.1 Perfect Zero-Knowledge Arguments 

An NP-proof protocol with polynomial-time prover is a protocol between 
two polynomial time parties: a prover Alice and a verifier Bob. The parties take 
turns being "active" , that is, reading the tapes and performing the computation, 
outputting a "message" on the corresponding communication tape. Both parties 
are probabilistic machines, (i.e., they have a read-only infinite tape of truly 
random bits which is private and read left- to-right). Alice also has a private 
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input with a witness to the input. (Without lose of generality, we can assume 
that the input is a legal satisfiability (SAT) statement, since otherwise any NP 
statement can be translated first to SAT, and Alice can translate the witness to 
a witness to the SAT-statement). At the end of the protocol Bob moves to one 
of two states: ACCEPT or REJECT. 

Definition 1 An NP-proof protocol with polynomial-time prover is called an 
argument if: 

1. There exists a polynomial-time program (in the statement size which is a 
security parameter) for Alice such that given any statement in NP, Alice can 
always convince polynomial-time Bob (that is make Bob move to ACCEPT 
at the end of the interaction). 

2. No polynomial-time Alice* interacting with Bob can convince Bob to AC- 
CEPT, when the input is not true, except with negligible small probability 
(that is for a polynomial p for large enough input the error becomes smaller 
than l/p(n). 

For an input / and history h let CONVBob*{I,h) be the random variable 
(depending on the parties' random tapes), which Bob* produces throughout an 
interaction with Alice. 

We note that similarly an argument can be prove "a possession of knowledge" 
in the sense that one formally shows that a machine employing the prover can 
extract a witness to the claimed NP statement [FFS, TW, BG]. (In the next 
version we describe this as well). 

We say that two distributions fii and H2 on {0, 1}™ are almost identical if for 
all polynomials p(n) , large enough n and for all A C {0, l} n , |/xi(A) - M2(-4)| < 
l/p(n). 

Definition 2 An argument is perfectly zero-knowledge if: for all verifier 
Bob* , there is a simulator which is a probabilistic expected polynomial-time ma- 
chine Msob* , such that for any input I , it produces a random variable SIM Bob* (I, h) 
so that the distribution of SIM Bob' {I, h) is identical to that of CONVBob* {I ,h) . 

2.2 Commitment 

Definition 3 A bit commitment protocol consists of two stages: 

- The commit stage: Alice has a bit b on her input tape, to which she wishes 
to commit to Bob. She and Bob exchange messages. At the end of the stage 
Bob has some information that represents b written on its output tape. 
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- The reveal (opening) stage: Alice and Bob exchange messages (where their 
output tapes from the commit stage are serving as input tapes for this stage). 
At the end of the exchange Bob writes on its output tape b. 

Definition 4 To be perfectly-secure commitment, the protocol must obey 
the following: for all Turing machines Bob, for all probabilistic polynomial time 
Alice, for all polynomials p and for large enough security parameter n 

1. (Security property:) After the commit stage, when Alice follows the protocol 
Bob cannot guess b with probability greater than \ + (even if Bob is 
given unbounded computational resources). 

2. (Binding property:) After the commit stage in which Bob follows the protocol, 
with probability at least 1 - the polynomial-time Alice can reveal only 
one possible value. 

Note that the security property does not rely on Bob being polynomial time. 
In addition, if Bob's algorithm can be performed in polynomial-time, we say that 
the bit commitment is "efficient"- we concentrate on this case. 

We say that a commitment scheme is polynomial-time simulatable (with re- 
spect to the receiver) if given a polynomial-time receiver Bob", its history of 
conversations is a probability space simulatable by having Bob* taking part in a 
computation with an expected polynomial time machine S (as in the definition 
of zero-knowledge). 

We call a commitment a commitment of knowledge if there is a polynomial- 
time machine X (extractor) interacting with the sender performing the commit 
stage, such that the probability that X outputs a bit b is close to the probability 
that the reveal stage outputs same bit b (assuming reveal ended successfully). 
(A formal definition, is postponed to the full version). 

In defining the properties that a bit commitment protocol must obey, we have 
assumed a scenario where Bob cannot guess 6 with probability greater than § 
prior to the execution of the commit protocol In the more general case, Bob has 
some auxiliary input that might allow him to guess 6 with probability q > \. 
The definition for this case is that as a result the commit stage the advantage 
that Bob gains in guessing b is less than j^y. All the results of this paper hold 
for this more general case as well. 

2.3 One-way functions and permutations 

We define the underlying cryptographic operations we assume. 
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Let / be a length preserving function /: {0,l}*-> {0, 1}* computable in 
polynomial time. 

Definition 5 [One-way function.] / is one-way if for every probabilistic poly- 
nomial time algorithm A, for all polynomials p and all sufficiently large n, 

Pr[f(x) = f(A(f(x))) | x Z R {0,1}"] < l/p(n). 

The above definition is of a strong one-way function. Its existence is equiv- 
alent to the existence of the weaker somewhat one-way function using Yao's 
amplification technique [Y82] or the more efficient method of [GILVZ] (which 
is applicable only to permutations or regular functions). (A somewhat one-way 
function has the same definition as above, but the hardness of inversion is smaller, 
i.e. its probability is inverse polynomially away from 1.) 

If in addition / is 1-1 then we say the / is a One-Way Permutation. For 
the construction outlined in Section 3 we require a one-way permutation /. (We 
note that we can also employ fc-regular one-way functions in our protocol, since 
they can be converted into an "almost a permutation" [GKL]). 

3 Perfectly-Secure Simulatable Bit Commitment 

We present a perfectly-secure scheme and its proof of security. The polynomial 
commiter generates a bit encryption which comes from two possible distribu- 
tions. The commiter will be able to open the encryption only as a member of 
one distribution (even though the distribution are identical). 

3.1 The Scheme based on any one-way permutation 

Let / be a strong one-way permutation / on {0, l} n . Let 5 denote the sender 
Alice (as defined in 2.1) and R the receiver Bob (as denned). In the beginning 
of the protocol, S is given a secret input bit 6. B(x,y) denotes the dot-product 
mod 2 of x and y. 

Commit Stage. 

Commit to a bit b. 

1. The sender S selects x €« {0, l} n at random and computes y +- f(x). S 
keeps both x and y secret from R. 



205 



2. The receiver R selects hi , /12 , . . . h n ^i e {0, 1 } n such that each hi is a random 
vector over GF[2] of the form 0 <_1 1{0, l} n_i (i.e. i - 1 O's followed by a 
1 followed by an arbitrary choice for the last n — i positions). Note that 
hi, hi,-.. h n ~i are linearly independent over GF[2] 

3. For j from 1 to n — 1 

- R sends hj to S. 

- S sends Cj i- B(hj,y) to R. 

4. At this point there are exactly two vectors yo,Vi € {0,1 } n such that for 
i G {0,1}, Cj = B(yi,hj) for all 1 < j < n — 1. y 0 is defined to be the 
lexicographically smaller of the two vectors. Both S and R compute j/o and 
yi . Let 

_ f 0 if y = y b 
\ 1 if y = yi-b 

5. S computes c and sends it to R. 

Reveal Stage. 

1. S sends b and x to R. 

2. R verifies that y = /(x) obeys Cj = B(hj , y) for all 1 < j < n - 1 and verifies 
that if c = 0, then y = Vb and if c = 1, then y = j/i-j. 

end-commit-protocol 

It is clear that the protocol described above can be executed in polynomial 
time by both parties. In the next subsection we will see that it is indeed a 
perfectly secure bit commitment protocol. 

3.2 Proof of security 

Theorem 1. If f is a one-way permutations exist, then the scheme presented in 
Section 3.1 is a perfectly-secure computationally-binding bit commitment scheme. 

Theorem 1 follows from the two theorems below, the security theorem and 
the binding theorem, respectively. 

Theorem 2. For any receiver R' , after the commit stage the bit b is hidden 
information-theoretically. 

Proof : We can prove inductively on j, that for any choice of h\,h-i,...hj 
the conditional distribution of y given hi, h^, . . . hj c\ , C2, . . . Cj is uniform in the 
subspace defined by hi , ha , . . . hj and ci , C2 , . . . c, . Thus, at step 4 the probability 
that y = j/o is exactly |. Therefore giving away c yields nothing about b. □ 
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Theorem 3. Assume there exists a probabilistic polynomial time S'(n) that fol- 
lowing the commit stage can reveal to a honest receiver two different values for 
b with non-negligible probability (over its coin-flips) e — e(n). Then there ex- 
ists a probabilistic polynomial time algorithm A that inverts f on non-negligible 
fraction of the y's in {0, l} n . 

Proof : Using such an S' we now construct the algorithm A to invert /. A has 
a fixed polynomial time bound and it aborts if its runtime exceeds the bound. 
By assumption, there exists a set ft of e(n) fraction of strings such that if the 
tape of 5' is initialized with w € ft, S' succeeds in revealing two different values 
for 6 after the commit stage of n — 1 rounds. We may fix such an u and view iS' 
as deterministic. This is true, since one can repeatedly run A with the random 
tape of S' initialized with u)i, i := 1, . . . , m = 1/e 2 and with probability 1 - 
some u>i € ft. We treat S' as a deterministic algorithm from now on. 

The responses Ci of S' to the queries hi sent by R define a rooted tree T 
whose edges are labeled in {0, 1}. A path from the root to a leaf is defined by an 
assignment to h\,hi,...h n -\ and it is labeled with . ci,cj, .. .Cn-\. A node U at 
level t corresponds to a state of S' after i — 1 stages. It defined by hi , . . . , hi-i and 
ci, . . . ,Cj_i. The outgoing edges of U correspond to i2's 2 n ~* possible queries. 
These edges are labeled with the responses of S'. Note that since <5' may be 
cheating, his answers need not be consistent and that on the same query S' may 
give different answers depending on the previous queries. 

For a leaf u, let {yo(u),yi(u)} be the set consistent with S's answers; we say 
u is good if given that Ji's queries define «, then S' succeeds in opening the bit 
committed in two different ways: i.e. S' inverts on both yo(u) and yi(u). 
Description of A: A gets as an input a random image y in {0, l} n and it 
attempts to invert y. In order to compute A tries to find a good leaf u 

such that y € {ito(")>i/i(")}- Starting at the root, A develops node by node a 
path consistent with y. Fix j to be n — 8(logn/e + 1). For j rounds A does as 
follows: for 1 < i < j at the i round the path so far is defined by hi, fa, • • ■ hi-i 
and the labels are ci,c^, . . .Ci-i such that c< = B(hi,y). Now, a random h of 
the 0* -1 l{0, l} n_ * is chosen (note that h is linearly independent from /ifc, k < i 
is chosen. If the edge h is labeled with B(h,y), then hi <- h and the path is 
expanded by the new node. Otherwise, 5' is reset to the state before its reply, 
and a new candidate for hi is chosen. This is repeated until either a success or 
until there are no more candidates left, in which case A aborts. If A reaches 
the j'th level, it guesses the remaining n - j queries /i 3 , fy+i, . . . /i n -i and checks 
whether the path to the leaf is labeled consistently with B(y, hi). If it is and the 
leaf reached is good, then A has succeeded in inverting y. 
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The rest of this proof is devoted for showing that A as defined above has 
probability at least er 10 /8e 3 n 8 for inverting y. Note that A as described above 
does not necessarily halt after a polynomial number of steps. However, as we 
shall see at the end of the proof, we can limit the total number of unsuccessful 
attempts at finding a consistent h to 8n without decreasing significantly the 
probaiblity that A succeeds in inverting y. 

Before we continue we introduce some notation. Since we are dealing with 
several types of vectors of length n over GF[2] we will distinguish them by calling 
those vectors that are sent by R as queries and those vectors which may be the 
image that y attempts to invert as images. Let U be a node at the tth of the 
tree defined by hi, fa, • • • ftt-i and ci,C2, . . . Cj_i. We say that y e {0, l} n is an 
image in U if B(hk, y) = for all 1 < k < i. We denote the set of images of U 
by I(U). We know that \I{U)\ = 2 n - <+1 . We say that h € {0, 1}" is a query of 
U if it is of the form C^lfO, l} n_i ). 

Let A(U,y) = \{h\h is a query of U and B(h,y) agrees with the label h of 

U}\ 

An image y is balanced in Ui, a node of the ith level if 

An image y is fully balanced in 17, a node of the jth level, if it is balanced in all 
the ancestors of U. Define £(11) as the set of all y € X(U) and are fully balanced 
in U. For a set of queries # at a node U and an image y of U the discrepancy 
of y at H is the absolute difference between \H\/2 and the number of queries in 
H that agree with y. Finally, recall that j = n — 8(logn/e + 1). 

Lemma 4. For any node U of level j at least 2 n- *(l - ft) for /? = 2~ 3 / i ( n -ti 
of the images ofU have the property that 2" _J ' - 2 r ^ n - j) < A(U,y) < 2 n ~ j + 

Proof : First note that any pair of queries h', h" of U has the property that h" 
is linearly independent of h', hi, /12, . . . /ij-i. Now suppose that an image y of U 
is chosen at random and consider the indicator ah which is 1 whenever B(h, y) 
is equal to U's response on h. For any h we have that Prob[a,h = 1] = 1/2 and 
for every pair hf, h" the events ov and aw are pairwise independent. We are 
essentially interested in 



Prob I I J2 a h 

\ h query of U 



-E{ Y, a ^\^ 2 7 M n ~» 

h query of U 



(1) 
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By Chebyschev's inequality 

Prob(\ Yl a »~ E \- E a h ]\>Xy/vAR(£a h ]\ <± 

\ h query of U h query of U / 

Var[£ h a h ] is 2 n ~J and hence (1) is at most 2" 3 / 4 ( n ^. 

Lemma 5. For any node U of level j and random image yofU the probability 
that y is fully balanced in U is at least 1 - 7 for 7 = n2 _5 / 8 ( n-J ) 

Proof : Let Ui, C/2. • • • Uj = U be the nodes on the path to U. For any 1 < i < j 
we can partition the 2 n-t queries of Ui into 2' _t subsets Hi, H?, . . . H 2 i-i of size 
2 n ~* each such that for any 1 < I < 2-» _< and ti, h" G H t we have that h! 
is linearly independent of /tj+i, . . . hj, h". Therefore, similar to Lemma 4, we 
have that Prob[\ £ heHt -E\£ keIlt a h ]\ > 2 7 /8(n-i)] < 2 -3/4(n-j)_ Therefore by 
Markov's inequality the probability that more than 2"~ 1 / 8 ( n-J ) fraction of the 
Ht 's have a discrepancy larger than 2 7 ^ n ~^ is at most 2~ 5 / 8 ( n-J ) . Therefore 
with probability at least 1 — 2 -5 / 8 ( n- ^ the total discrepancy at node Ui is at 
most 

2-i/8(n-i)2n-j 2 i-* + (1 — 2 -1 / 8 ( n_ - 7 ))2 7 / 8 ( n_ ^2- J_i < 2 • 2 7 / 8n + 1 /8j-« ( 2 ) 
and hence with the probability at least 1 — 2 _5 / 8 ^ n_ ^ we have 

1 _ I < 1 _ 2 -l/8(«-i)+l < A ( Ui 'V) < l + 2 -l/8(n-j)+l < 1 + I 

n ~ ~ 2 n ~ i ~ 1 ~ ~ n 

The probability that y is balanced in all the levels is therefore at least 1 — 

n2 -5/8(n-j) _ l7 _ 

Lemma 6. The probability that a node U of the jth level is reached by an exe- 
cution of A is at least ^—^ of the probability that it is reached by an execution 
ofS' 

Proof : Let Ui,U^, . . . Uj = U be the nodes on the path to U's from the root. 
For any node Ui the probability that Ui is reached in S' is flti ^=7- On the 
other hand 



Prob[U is reached by A] = ^ Prob[y is chosen and U is reached] > 

vez(u) 
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1 

Prob[y is chosen and U is reached] = ^ l/2 n JJ -j^t — r > 

£ v^n (i + i/„)2»-<-i - E ^ II (i + i/„) 2 "-i-i - 

2 n-j + l(l_ 7) 1 1 (1-7) TT 1 

2 n (1 + l/n) n f 4 2n_<_1 e • 2 n-< 

Lemma 7. The probability that the image A is trying to invert is fully balanced 
at the jth level is at least 

Proof : For every node of the jth level and every fully balanced image yofU 
we have that Prob[y is chosen and U is reached] > Oprf- Yll=i 2*-<-i • Hence, 

Prob[U is reached with a fully balanced y] > 

- 7) . izl TT -L_ = ff 

Z V 1 7; e2 n 11 2 n-i-l e 11 2 n-< 

i=l i=l 

The number of nodes at the jth level is WiZi 2 n-t and therefore the probability 
that the image chosen is fully balanced at the jth level is at least ^~ 7 ^ . 

Call a node good if at least e of the leaves at the subtree rooted at U have the 
property that S' succeeds in cheating, i.e., inverting both images. By assumption, 
the fraction of good nodes U is at least e. Hence, by Lemma 6 the probability 
that A reaches a good U at level j is at least ^f^c. 

Lemma 8. In any good node U of level j the fraction of the good leaves that 
have at least one image that is in !F{U) is at least e/2. 

Proof : Any pair of images j/i ^ y% in 1(U) can be together in at most l/2 n ~ i 
of the leaves: in any node U r along the way from U to the leaves and for random 
query h of U' we have Prob[B(h, j/i) = =1/2. Since there are at most 

<y2 n ~i +1 images that are not fully balanced in U, then at most 

^ 2Tl ~ 3+1 ^j /2 n - j - 1 < 2*y 2 2 n -i < „22-l/4(n-j)+l = n 2 2 -2(logn/ £ +l)+l < ^ 

of the leaves have both of their images from the unbalanced. Therefore at least 

2 

e - y > e/2 of the leaves are both good and have at least one image which is 
fully balanced at U. 

Lemma 9. For any good node U of level j and z € F{JJ), given that U was 
reached with a fully balanced y, the probability that y = z is at least e a 2 .» 1 -j+i 
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Proof : We would like to bound from below 

Prob[z is chosen and U is reached] 
Prob[U is reached and the image is fully balanced] 

We know that Prob[U is reached and the image is fully balanced] = 

^ Prob[z is chosen and U is reached] = ^ l/2 n JJ -jj- — r < 

zenu) vzhu) i= i A ( u *>y> 

veT(U) i=i v ver{U) i=i 

. e TT _J_ < e ff 
2" 11 2"-*-i - 11 2 n ~* 
»=i t=i 

As can be seen from the proof of Lemma 6 for any z € F(IJ) we have that 

1 J-1 1 

Prob[z is chosen and U is reached] > ^ n _ J+1 JJ ^— • 

i=l 

Therefore (3) is at least jv^-m 

Lemma 10. The probability that A is successful is at least 4 ^° g 

Proof : Suppose that (a) A reaches a good node U at level j and the y is fully 
balanced and (b) that hj, hj+i,. . . h n -\ define a path to a good leaf that has at 
least one image in F{U). Call this image z. Then by Lemma 9 we know that 
the probability that y = z is at least e a 2 i,.j . The probability that (a) occurs is 
at least g ^~ T ^ by Lemma 7 and that (b) occurs given (a) is at least e/2 by 
Lemma 8. Therefore the probability of success is at least e 2 $1 1 \* > e 10 /4e 3 n 8 

Note that we have only considered A successes when y was fully balanced at 
level j. However, given that y is fully balanced at level j, the probability that 
A had many unsuccessful candidates until he reached the jth level is small: we 
know that y is balanced at Ui for all 1 < i < j and therefore A(U,y)/2 n ~* > 1/4. 
Therefore the probability that A had to try more than 8n candidate for the 
hi's until reaching level j is exponentially small in n and we have that even if 
we bound the run time of A by 8n 2 the probability of success is still at least 
e 10 /8e 3 n 8 . If £ is non negligible, then this is non negligible as well. This concludes 
the Proof of Theorem 3. 



For our applications we need a simulatable bit commitment and commitment 
of knowledge (to be defined in the full version along the lines of [BG]). 
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Theorem 11. There is a perfectly-secure commitment scheme which is simulat- 
able, and is commitment of knowledge. 

Proof sketch: All actions of S are in polynomial time, so simulatability 
(generating the same distribution in polynomial time) is given. 

To achieve simulatable commitment of knowledge, one has to modify the 
basic protocol described above as follows. The protocol's steps 1,2, and 3 will be 
first performed twice. At this point R asks S to open the chosen x which is the 
pre-image of y of one of the instances and continue the protocol with the other 
instance. Obviously, the security and binding properties are maintained. 

To get a commitment of knowledge, we have an extraction algorithm X which 
plays the steps 1,2, and 3 twice. Then, it decides on which instance to continue, 
it asks to open it and gets y, then the simulation is backtracked and the other 
instance is asked to be opened, and the actual commitment is done using the 
(by now known) y in step 4 and 5 (given the input bit b to the machine X). 
The probability that the commitment will be different is negligible assuming the 
hardness assumption as was shown above. □ 

Next, we can state the following known "reduction theorems" present in the 
works on computational (perfect) zero-knowledge proofs (arguments) [GMW, 
BCC,IY]. 

Theorem 12. If there is a (perfectly-secure commitment) [commitment] scheme 
which is simulatable by an expected probabilistic polynomial-time machine ("in- 
teracting" with the receiver) and the receiver is polynomial-time, then there is a 
(perfect zero-knowledge argument) [computationally zero-knowledge proof] for any 
statement in NP. 

The perfectly-secure simulatable bit-commitment protocol can be used in the 
general scheme above. In addition, the general proof system scheme can also be 
shown to give a "proof of possession of a witness" (i.e., proof of knowledge) 
as was formalized [FFS, TW, BG]. Thus, combining the above, gives our main 
result: 

Theorem 13. If any one-way permutation exists, then there exist perfect zero- 
knowledge arguments for proving language-membership as well as for proving knowledge- 
of-witness. 



212 



4 Discussion 

There are various other applications to information-theoretically secure bit com- 
mitment. For example, another application of the bit commitment above is a 
"coin-flipping protocol" (introduced by Blum [B]), with perfect security, and 
assuming only a one-way permutations. 

For practical purposes consider the data encryption standard (DES) [Kon]. 
Given a /i-regular [GKL] one-way function (i.e. the number of pre-images of a 
point is < k and is k on a significant fraction), one can transform it into a 
one-way function which is 1-1 almost everywhere [GILVZ], We apply this to the 
function DES(k,m) = y (k = key, m= message) where (actual used parameters 
are) k € {0,1} 86 , m,y € {0,1} 64 . Assuming that DES is not breakable on-line 
(say in 10 seconds), then it is a good candidate for our scheme. We explore this 
further in the full version of the paper. The security of the commitment is not 
perfect but rather almost-perfect (guessing the commitment is not exactly 1 /2, 
but it is close to 1/2). We note that DES is available in many machines and 
usually on an optimized hardware circuit. 

It is an interesting question whether a general one-way function with no 
additional property sufiices for zero-knowledge arguments. Reducing the rounds 
(by more than the achievable logarithmic factor) is interesting as well. 
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Abstract. We exhibit a two-prover perfect zero-knowledge proof sys- 
tem for 3-SAT. In this protocol, the verifier asks a single message to each 
prover, whose size grows logarithmically in the size of the 3-SAT formula. 
Each prover's answer consists of only a constant number of bits. The ver- 
ifier will always accept correct proofs. Given an unsatisfiable formula 5 
the verifier will reject with probability at least max-sat(5))/|S|, 
where max-sat(S) denotes the maximum number of clauses of S that 
may be simultaneously satisfied, and \S\ denotes the total number of 
clauses of S. Using a recent result by Arora et al [2], we can construct for 
any language in NP a protocol with the property that any non-member 
of the language be rejected with constant probability. 

1 Introduction 

In a multiple-pi'over interactive proof system, several provers, Pi, P2, ■ . . try to 
convince a verifier V that a common input x belongs to a language L. The 
verification proceeds in rounds; in each round, the verifier sends to each prover a 
private message (query) and receives an answer. Each prover sees only the queries 
addressed to it, and cannot communicate with the other provers (at least until 
the end of the round). When the protocol ends, the verifier decides, based on 
the input string and the messages received, whether or not to accept. 

Multi-prover proof systems were introduced by Ben-Or, Goldwasser, Kilian 
and Wigderson [7] in order to obtain zero knowledge proofs without relying on 
complexity assumptions such as the existence of one-way functions. In this paper 
we show another advantage of multi-prover proof systems by exhibiting a low 
communication two-prover perfect zero-knowledge proof system for 3-SAT (and 
thus for every language in NP). In contrast, no such low communication zero 
knowledge protocol is possible in a single prover proof system, unless NP C 
BPP. 

Kilian [16] has provided additional motivation for striving for low commu- 
nication in the two prover setting: he suggests enforcing the separation of the 
two provers by keeping them (say the two provers are implemented on a smart 
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card) at some distance from each other. If the distance is long enough and the 
communication complexity is low, then the two provers do not have enough time 
to communicate during the execution of the protocol. 

In the protocol we present, the verifier sends to each of the two provers a query 
whose length is logarithmic in the length of the input string, and receives back 
answers whose length is constant. If the input string is not in the language, then 
the verifier detects cheating with some fixed probability a > 0. The protocol 
is perfect zero-knowledge, i.e. there is a polynomial time machine, called the 
simulator, that produces for every possible (possibly cheating) verifier the same 
distribution of conversations as the verifier would have had with two "real" 
provers. 

To reduce the probability of error to 2~ k (rather than 1 — a), the protocol 
can be executed O(k) times sequentially. Lapidot and Shamir [18] have provided 
an elegant zero-knowledge two prover protocol which is parallelizable, i.e. run- 
ning copies of it in parallel decreases the probability of error exponentially in 
the number of copies. However, it is not known whether this is true for general 
protocols. Feige and Lovasz [13] (continuing [19]) have provided a method that 
can be applied to any protocol in order to obtain a parallelizable protocol, how- 
ever the method does not preserve zero-knowledge. Finding such a method that 
preserves zero-knowledge is an open question. 

In our protocol the two provers share a common random string of only log- 
arithmic length. Thus, even if we consider the shared random string to be part 
of the communication complexity of the protocol, then it is still logarithmic. 
The existence of a shared random string is necessary, since we show that for low 
communication zero-knowledge protocols, the only languages that do not require 
the two provers to share a common random string are exactly those in BPP. 

Our protocol is constructive in the sense that once two provers know a satis- 
fying assignment to the formula, all they are required to do is some polynomial 
time computation. 

1.1 Definitions 

Definition 1 We say that a language L has a two prover interactive proof sys- 
tem if there exists an interactive probabilistic polynomial time machine (called 
the verifier) V and two interactive machines P\, P2 called Prover 1 and Prover 2 
respectively, satisfying the following conditions. All three machines have a com- 
mon input x which may or may not be in L. The two provers once and for all 
agree on a common strategy. Moreover, prior to each execution of the protocol, 
they may interact in order to share random bits. Once the protocol begins, they 
are assumed to be isolated from each other. The three machines follow a pre- 
scribed protocol consisting of several rounds; in each round, the verifier sends 
to each prover in private a message (query) and receives an answer. When the 
protocol ends, the verifier decides whether or not to accept, based on the input 
string and the messages received. The protocol must satisfy 
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— Va; € L there exist machines P- L and P2 such that V accepts with probability 
1 (completeness); 

— there is a fixed constant a > 0 such that Va; ^ L and VPi , P2 the probability 
that V accepts on input x is at most I - a. 

Note that this definition is not standard in that a is not required to be say 2/3. 
However, by running the protocol sequentially several times (as a function of a) 
one can get arbitrary small probability of accepting erroneously. Showing that 
the probability goes down when the protocols are run in parallel is a major open 
problem in this area. 

Part of the strategy that the two provers agree on may simply be a common 
random string. This is used to obtain the zero-knowledge property defined below. 

Definition 2 For a given verifier V, provers Pi and P?, and input x, we define 
Viewy : p u p 2 {x) be the distribution over the interaction between verifier V and 
provers Pi and P 2 . This distribution is over V's coin tosses and the random 
choices made by P x and P-> 

Definition 3 A two prover interactive protocol V,Pi,P2 is perfect zero knowl- 
edge for V if there exists a probabilistic polynomial time machine S that on 
input x outputs a string whose distribution is Viewy : p lt p 3 (x). A language L is 
said to have a perfect zero-knowledge protocol if it has a two-prover interactive 
proof system V, Pi,Po such that for every V the protocol V',P\,Pi is perfect 
zero-knowledge for V . 

The communication complexity of a protocol is composed of three parts: 

1. the total length of the queries sent by the verifiers; 

2. the total length of the answers given by the provers; 

3. the length of the random string shared by the two provers. 

The term low communication will mean that the sum of these three compo- 
nents is logarithmic in the length of the input string. 

1.2 Background 

Multi-prover proof systems have inspired much research in Complexity The- 
ory [5, 8, 9, 10, 11, 13, 14, 19]. In particular, Babai, Fortnow and Lund have 
shown that the class of languages that are recognized by multiple prover proof 
system where the verifier is a polynomial time machine and the communication 
is restricted to be of polynomial length is exactly NEXP-Time. This was scaled 
down to the NP setting [3, 4, 12], culminating in the result of Arora, Lund, Mot- 
wani, Sudan and Szegedy [2] showing a two prover proof system for NP in which 
the length of the queries that the verifier sends to the provers is logarithmic in 
the length of the input string, and the answers are of constant length. From this 
they derive: 
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Theorem 1 [2] There is a (3 > 0 such that for any language L £ N P there is 
a polynomial time reduction R from L to 3-CNF formulas such that for x € L 
R(x) is a satisfiable 3-CNF and for all x £ L, a fraction of at most 1 — /? of the 
clauses of R(x) can be satisfied simultaneously. The proof is constructive in the 
sense that given a witness for x 's membership in L, there is a polynomial time 
procedure that yields a satisfying assignment to R{x). 

We will apply this theorem to get our protocols. This theorem (or actually its 
precursor [4]) was already used by Kilian [17] to lower the communication com- 
plexity of single prover zero knowledge arguments and proof systems. However, 
by a simple observation, the only languages that have a single prover proof sys- 
tem with logarithmic communication are those in BPP. Thus, if we are aiming 
at logarithmic communication we must have two provers. 

We further observe that the two provers must share a random string in order 
for a low-communication protocol to be zero-knowledge; for if not, by running the 
simulator enough times we can get the response on any query to each prover, 
and thus can simulate each prover on-line. If the two provers do not share a 
random string, then their responses are independent polynomial time samplable 
distributions and thus there is a probabilistic polynomial time machine that 
can compute the probability that the verifier accepts, whence L is in BPP. We 
do not know whether it is possible for the two provers to share fewer than 
the logarithmically many random bits required by our protocol. However, in 
Section 3 we show that l?(loglogra) random bits are essential. 

2 The Interactive Proof System 

We construct the interactive proof system in two steps. In the first step we use 
the result of Barrington [6] to reduce checking that an assignment satisfies F to 
checking that an assignment to variables in the permutation group S5 satisfies 
certain equations (over £5 ). More precisely, each clause of F gives rise to one 
equation over 5s. We also provide a way for the verifier to check consistency 
among distinct occurrences of each literal in F. In the second step we use the 
randomizing tableaux of Kilian [15] to construct for each equation a 2-prover 
interactive proof system for an assertion about a product. 

The entire proof system is therefore as follows. All parties apply Barrington's 
result to obtain the set of equations over variables in 5s. The Verifier then 
randomly chooses either to check consistency or to check that a randomly chosen 
clause is satisfied. We now describe each of these steps and checks. 

2.1 Reduction to Equations over S- 3 

For reasons of zero-knowledge we first make F a little more "robust" by ex- 
pressing each variable y a 6 F as the exclusive or of three new sub-variables 
Xai,x a 2,x a 3. Note that information about up to three variables in the robust 
formula gives no information about any variable in F. From now on we simply 
assume that F is in this robust form. 
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Following the exposition in [6], a permutation branching program of width 5 
and depth d is a level graph. Each level is labeled with one of n input variables 
xi,...,x n , and contains 5 vertices, Associated with each level I is a pair of 
permutations Tq, ir[ € 5s. Given a setting of the input variables, the level yields 
the permutation n*- if the variable associated with level £ has value j S {0, 1} in 
the assignment. On input setting x the branching program yields the product 
of the permutations yielded by each of the levels. For level £ we let gt denote 
the variable over 5s that has value either 7Tq or 7r| according to the value of the 
(Boolean) input variable associated with level I. 

A permutation branching program B is said to 5-cyclt recognize a set A C 
{0, 1}" if there exists a five-cycle a £ Ss\e (called the output) such that 5(x) = a 
if x 6 A and B(x) — e if x £ A, where e is the identity permutation. 

Theorem 2 (Bamngion [6]): Let A be recognized by a depth d fan-in 2 Boolean 
circuit. Then A is five-cycle recognized by a permutation branching program of 
depth A d . 

We will apply Barrington's result to a very specific type of circuit: one that 
checks that the clause 

(y.'ii ® Vi,2 © Via) V (y,- 3 i © y, 3 2 © Vi 3 3) V (j/,- 3 i © y i3 2 © Vi^) 

is satisfied by the input. The clause has at most 9 distinct variables. 

We assume that the robust F is a conjunction of clauses of the type just 
described (that is, F is in a sort of robust 3-CNF), so each clause has constant 
size. For each clause c,- having variables xn, 2,2, • • • , Xjg all three parties create 
a constant-depth Boolean circuit C;, which, given an assignment xj to the Ztj's, 
checks that xj satisfies c,-. Letting A» be the set of assignments to xn, x<2, ■ • ■ , £»9 
satisfying C,-, the parties then apply Barrington's result to obtain a permutation 
branching program B{ that five-cycle recognizes A{. Let cr,- 6 S5 be the output of 
Bi. Letting d be the depth of Bi, the construction yields an equation gn . . .gid = 

Here, gij is associated with the (Boolean) variable that labels level j in Bi, 
taking on ttq 1 or ir*^ 3 according to the value of the associated Boolean variable. 
Thus, F is satisfiable if and only if (1) for all 1 < i < m, the equations gn . . .gid — 
o-i are satisfiable (over the- 7r ,,J "'s), and (2) for all £,p,j,q such that the same 
variable is associated with level £ of B p and level j of B q , gi p = ir^'* iff <7j ? = Xg' ; 
in this satisfying assignment to the g's. 

2.2 Checking an Equation 

Consider the ith equation gaga . . .ga — o~i. Let us suppress the subscript i for 
ease of notation, so that we get gig 2 . . ,g& =■ a. Let h = < j < hj € 

{7Tg,7ri}} be an assignment to the g's satisfying the equation. We use a slight 
modification of the randomizing tableaux of Kilian [15] to allow the Provers to 
convince the verifier of the existence of h. 

Let T be the following array with 3 rows and d columns. T[l, j] = hj for 
all 1 < j < d. Note that i<(l T[\. j] — a. Let r h i, . . . , r\ ]d -\ be elements 
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of S 5 chosen independently and uniformly at random. Then T[2, 1] = 
T[2, d] = r^ d _ x h d , and for all 1 < j < d, T[2,j] - r~J_ j/ij-nj . Note that again 
rii<j<£i^[2> i] = c- Finally, we randomize again, choosing d — 1 new random ele- 
ments ra,! . . . r 2 ,d-i € 5 5 , and setting T[3, 1] = T[2, l]r 2 ,i, T[3, d] = r^_ t r[2, d], 
and for all 1 < j < d, T[3,j] = r^_ x T[2,j]r 2 j. Once again JL^^Tp, j] = 
Moreover, neither the second nor the third row of T contains any information 
about the assignment h. 

For any i,j such that i € {1,2} and j £ {l,...d}, let the i,j rectangle 
be the two entries T[i,j],T[i+ Given the i,j rectangle and the random 
elements r^j^y, rj +lj - (if j = 1 or j = c/ then only one of these is defined), it 
is easy to check that r'^^^i, j']r i+1 j = T[i + l,j]. In addition, if T is not 
a randomizing tableau for h, cr then some rectangle will fail this test [15]. This 
suggests the following 2-prover interactive proof system. 

The Verifier interacts with each prover once. In each interaction it may make 
the following requests. From Pi it can request to see one of: (1) the third row 
of the tableau (T[3, j], 1 < j < d); (2) the ij rectangle, for some 1 < i < 2 and 
1 < j < d. 

From P2 the Verifier can request to see one. of: (1) an element from the second 
and third rows of the of the tableau; (2) all the random elements rij, 1 < j < d\ 
(3) all the random elements r 2 j,l < j < d; (4) the assignment Xj, where Xj 
labels one of the levels in the branching program. 

The Verifier chooses either to check that the equation is satisfied or that 
the tableau is correctly constructed. To check that the equation is satisfied, the 
Verifier requests the third row from Pi (option (1)) and an element of the top 
row from P 2 (option (1)). To check that the tableau is correctly constructed, the 
verifier has three possible options. In all three, it requests an i,j rectangle from 
Pi- 

Hi = 1: (a) The Verifier can request the assignment to the (Boolean) variable 
associated with level j. This checks consistency with Pi and that the h/s are 
chosen from the right sets (the tt's). (b) The Verifier can request the randomizers 
for row 2. This checks that row 2 is formed correctly from row 1. (c) The Verifier 
can request the element from T[2,j]. This checks consistency with Pi. 

If i = 2: (a) The Verifier can request the randomizers for row 3, checking that 
row 3 is formed correctly from row 2. (b) The Verifier can request an element 
from the rectangle, checking consistency with Pi. This completes the description 
of the protocol. 

Intuitively, the most information a cheating verifier can possibly obtain about 
the bottom row (the assignment h) is the assignment to two of the permutations 
gj. Since each of these is associated with only one variable of the robust form 
of the Boolean formula F, and since the values of any two variables in the 
robust form yield no information about the value of any Boolean variable in the 
satisfying assignment to the original F, the procedure is truly zero-knowledge. 
Finally, since the randomizing tableau is for a single clause, it is of constant 
size. Thus any error in the construction of the tableau is detected with constant 
probability. 
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Remark: Checking Consistency 

Let x a be a variable in the robust form of F. Clearly, x a may appear several 
times, and it must have the same assignment each time it appears. Let x a appear 
in clauses p and q (p and q may be equal). Then for some j, k, x a is the variable 
associated with level j of B p and level k of B q . Letting ttq' 3 and tt^' j be the two 
permutations at level j of B p , and making analogous definitions for level k of 
B q , the verifier must check that h p j = 7r5' J O h q k = nl' k . To check this, the 
Verifier asks Pi for the l,j rectangle from the tableau for B p , and asks P2 for 
the assignment x a without disclosing to Pi the name of the clause (p or q) that 
it is examining. This is covered by Case i = 1(a) above. 

Remark: Reducing the Number of Shared Random Bits In the descrip- 
tion above it was assumed that the random bits used by the provers were com- 
pletely independent. However, a closer examination reveals that since the verifier 
never sees more than a constant number of bits, they can be chosen to be c-wise 
independent for some constant c. Thus, the size of the probability space that 
generates them can be 0(\ogn) bits (see e.g. [1]). 

2.3 Putting it All Together 

Without communicating, the Provers and Verifiers construct the robust form of 
F and the o-cycle permutation branching programs for each of the m clauses 
of the robust form of F. Using their shared random bits, the Provers construct 
randomizing tableaux for all clauses consistent with a fixed satisfying assignment 
to the robust form of F . The Verifier randomly chooses a clause and one of the 
six legal pairs of questions described in the previous subsection, and proceeds 
accordingly. Note that the Verifier must tell Pi which clause it has chosen, while 
it does not tell P 2 the chosen clause when it requests from Pi the value of an 
assignment. 

We now sketch proofs that our proof system is complete, partially sound and 
secure. 

Theorem 3 (completeness) 7/x, the assignment known to P\ and P2, satis- 
fies the robust form of F , then V will always accept. 

Proof. (Sketch) By construction of the randomizing tableaux, a simple case anal- 
ysis shows that any constraints that V chooses to check will be satisfied. 

Theorem 4 (soundness) There exists a constant c > 0 such that V will reject 
with probability at least 

c(\S\ — max-sat(S)) 

W\ ' 

where max-sat(S') denotes the maximum number of clauses of S that may be 
simultaneously satisfied, and \S\ denotes the total number of clauses of S. This 
theorem holds regardless of the strategies of the provers, P\ and P2. 
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Proof. (Sketch) First, by a standard lemma [7], there exist optimal deterministic 
provers, Pi and P 2 , that cause V to accept with the highest possible probability. 
It suffices to show that even with these provers, V will reject sufficiently often. 

/V s responses to queries about x constitute an assignment. Its responses 
to queries about rows 2 and 3 of the tableaux define these rows, just as its 
responses to queries about the randomizers define these objects as well. Let X{ 
be associated with some level I of B q , for some clause c q . 

Let c p be chosen at random. Then with probability at least 

c(\S\ — max-sat(S)) 

W\ ■ 

c p is not satisfied by x. It suffices to show that when this happens V will reject 
with some constant probability, regardless of what P\. does. In this case, B p (x) = 
e, so either the product of the elements of the top row of the randomizing tableau 
for Bp equals e, or the tableau is badly formed. Because the tableau is of constant 
size the error will be detected with constant probability. 

Theorem 5 The proof system achieves perfect zero-knowledge. 

Proof, (sketch) In order to prove this theorem, we construct a simulator M such 
that for any satisfiable 3-SAT formula F, any verifier V will obtain the same 
view by interacting with M as by interacting with Pi and P 2 . Recall that in the 
first step of the interactive proof system, before any communication begins, F 
is made "robust" by replacing every variable in F with 3 new variables. Let x, 
denote the provers' assignment to i, in the original formula. Then the provers 
may choose any random assignment to the sub-variables xu . . . so that the 
exclusive-or of these is Xj . 

The verifier makes one of 2 kinds of queries to Pi and 4 kinds of queries to 
P2 for a total of 8 kinds of pairs. The analysis is straightforward; we discuss only 
the case in which V requests a rectangle from Pi and an assignment to some X{ 
from Pi. 

Let the (possibly faulty) Verifier request rectangle i,j in the randomizing 
tableau for B p from Pi. If i — 2 then the rectangle contains two independent 
randomly chosen elements of 5s, so simulating Pi's response is trivial. If i = 1 
then since the variable associated with level j of B p is from the robust form 
of F, both possible assignments to this variable are equally likely. Thus, either 
element of ^i' 1 } is equally likely, so the simulator can choose T[i, j) from 

this set, and T[t + 1, j] from S5. Finally, the response from P2 needs only to be 
consistent with the response from Pi . 

In the final version of the paper we will show how the number of bits that the 
provers send can be reduced to three - two by one prover and a single bit by the 
other. Note that this is the best possible, unless P = NP, since the existence of 
a two bit proof system can be translated to a 2-SAT problem. 
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3 Lower Bound on the Number of Shared Random Bits 

In this section we show that the two provers must share J?(loglogn) random 
bits. 

Let r be the number of shared random bits. We make several simplifying 
assumptions: let the total number of possible queries to each prover be polyno- 
mial in n; let the protocol be one round, i.e. the verifier sends the queries to the 
provers and they respond; let the provers responses be limited to c < 2 r possi- 
bilities (in this section we do not require c to be constant); let the two provers 
have no random bits other than the r shared random bits. Some of the above 
assumptions can be relaxed (see remarks at the end of this section). 

We will show that if 3-SAT is recognized by a 2-prover zero-knowledge inter- 
active proof system obeying these constraints and r £ o(loglogn), then 3-SAT 
G BPP. The main idea is to first show that a small number of random bits 
implies that the two provers have only a small number of different strategies for 
answering the queries. We then show that this implies that on inputs of 3-SAT 
of any length n, in polynomial time it is possible, using the simulator whose exis- 
tence is guaranteed by the zero-knowledge property, to reduce the problem to an 
instance of 3-SAT of size strictly less than n. By repeating this at most n times 
(a more careful analysis shows that log log n times suffice), we can therefore, in 
polynomial time, reduce the problem to one that can be efficiently solved by 
brute force. 

Fix a satisfiable input formula F of n variables for the remainder of the 
discussion. 

Let u\, . . . , u m (v\ , . . . , v m ) be all the possible queries, over all random choices 
of the verifier, that the verifier could send to Pi (P2). The first step in the 
reduction is to split the u's (v's) into a (relatively) small number of equivalence 
classes. We describe the procedure for splitting the u's. The v's are handled 
similarly. 

Intuitively, ui and u 2 will be in the same class if Pi does not distinguish 
between them. However, for any random string s shared by the two provers, even 
using the simulator, there is no way to compare the behavior of Pi on query u\ 
with its behavior on query U2 , since each invocation of the simulator queries Pi 
exactly once and on different invocations of the simulator the simulated Pi may 
have different random strings. We must therefore define the equivalence classes 
in a slightly more roundabout fashion, so that we can compute them using the 
simulator. 

Let (u,v) be an arbitrary pair of queries to Pi and P2, respectively. Let 
Answers((u, v), s) denote the pair of responses on this pair of queries when the 
provers share s. Let Pairs(u,w) = {Answers((u, v), s)\s € {0, Then 

ui ~ u-i Vv(Pairs(wi, v) = Pairs(w2, v)). 

Intuitively, although the verifier might distinguish between similar queries, Pi 
does not. 

At a high level, we will proceed as follows. To reduce the size of the problem 
we use the simulator to compute the equivalence classes, arguing that there 
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are not too many of them. The entire strategy of the two provers can then be 
described by the number of pairs of classes times the number of pairs of responses 
(c 2 , assuming each prover sends one of only c possible answers on each query). 
But the description of the strategy is just a string, so we have reduced the 
problem to one of finding a string of at most this length that causes the verifier 
to accept. We now give more details. 

By assumption, the number of u's is at most polynomial in n. We now show 
that, using the simulator, we can compute Pairs(u, v) for all pairs of queries 
u, v, in BP P. For each it we proceed as follows. For each m run the simulator 
many times with a verifier that asks the pair of queries (u, u,-), to obtain the set 
Pairs(w, (It may be that the honest verifier never asks this particular pair 
of queries. However, some cheating verifier must do so.) Note that as long as 
the number of shared random bits is at most 0(log n) every element of this set 
will be discovered with arbitrarily high probability in polynomial time. The sets. 
Pairs(u,u) are then used to determine the equivalence classes. 

Note that for every query u there is a vector of possible replies, each an 
element in {1, . . . , c}, and indexed by the shared random string s. Let this vector 
of reply be the color of the query. There are only c 2 possible colors. Moreover, 
if two queries have the same color then they are in the same equivalence class 
(an equivalence class may include queries of different colors). Thus, the number 
of equivalence classes is at most c 2 ' . If r is sufficiently small, then we can obtain 
a representative from each equivalence class on the u's and on the v's. Using the 
simulator with the real verifier we can obtain, with arbitrarily high probability, 
for all pairs of representatives (u,v) such that on some execution the verifier 
actually asks this pair of queries, the set Pairs(u,u). Call this set a constraint. 
Note that |Pairs(u, v)\ < c 2 . 

To reduce the size of the problem, we make the following definitions. Let 
ui , . . . , ui be representatives of the classes of queries to Pi, and let v\ , . . . , Vk be 
representatives of the classes of queries to P 2 ; note that £, k < c 2 ' '. Let S\ be a 
function from the representatives u ; to {1, . . . , c}, and let S 2 be a function from 
the representatives Vj to {1, . . . , c}. The problem now reduces to finding Si and 
S2 satisfying the following condition. For all pairs of representatives Ui,Vj such 
that in some execution of the interactive proof system, V sends a member of the 
class represented by u,- to P 1 and a member of the class represented by Vj to P2, 

(5i(u,),S 2 (iJ;)) e Pairs(u,-, vj). 

Thus, the problem of proving that F € 3 — SAT can be reduced to the 
problem of finding a strategy for the provers that satisfies these constraints. 
It follows that the question of whether a strategy exists can be defined by a 
string that is at most the square of the number of classes times the square of 
the number of possible responses. That is, the length of the description of the 
constraints that the strategy must satisfy is at most (c 2 ') 2 • c 2 = 2 2r+oi;i) . Since 
this question is clearly in NP, it follows from the Cook-Levin Theorem that 
there exists a polynomial p such that a string x is such a strategy if and only 
if some (effectively computable) formula F x of length p(\x\) is satisfiable. Thus, 
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if p(2 2r+ 1 ') < n then the original problem of size n can be reduced, in BPP, 
to a problem of strictly smaller size. This happens when r = o(loglogn). We 
therefore have the following theorem. 

Theorem 6 Let L be an N P-complete language recognizable by a perfectly com- 
plete perfect zero-knowledge two prover interactive proof system in which the ver- 
ifier poses a single query to each prover, the reply from each prover is restricted 
to a single element from a set of size c < 2 r , and the provers have no random 
bits other than the shared random bits. Then if the number of shared random bits 
is o(loglogra) then L £ BPP. 

Note that we have not used the fact that the probability of acceptance in 
case the formula is not satisfiable is less than a < 1 and that the provers are 
polynomial time machines (with access to a satisfying assignment). 

Remarks: 

(1) Virtually the same proof shows that the provers must share J2(loglogn) 
random bits also in statistical zero knowledge proofs for NP. 

(2) If the provers do not use private random bits, we can assume that the range 
of possibilities of the provers' replies (denoted by c) is at most of size 2 r . Given 
that there are only r shared random bits and no private random bits, then on 
every possible query there are at most 2 r answers that the prover may give. 
Using the simulator these answers can be enumerated. The protocol can then 
be changed with the prover giving a pointer of r bits into this list, instead of 
sending the full answer. The resulting protocol would be only statistical zero 
knowledge, and would not have perfect completeness. Nevertheless, the proof of 
the lower bound would still hold with minor modifications. 

(3) If the number of possible queries is not polynomial in n then it is still possible, 
in polynomial time, to find all the equivalence classes that are "likely" to be asked 
and all the constraints that are likely to influence. The construction proceeds 
the same way, only we simply ignore "unlikely" queries. 

(4) The protocol may contain several rounds instead of one round. The concate- 
nation of a prover's answers plays the role of the prover's answer in the single 
round case. The only difficulty is in implementing remark 2. However this can 
be solved by making c no larger than 2 2 , which does not affect the lower bound. 

(5) We can allow the provers to have an arbitrary number r of private random 
bits, provided logc + r£ o(loglog n). The main difference is in the definition of 
the color of a query. In the new definition, each entry in the vector is replaced 
by a list of possible responses, which vary according to the private random bits 
of the prover. 

(6) Under most assumptions, the lower bound on the number of random bits 
shared by the provers can be pushed up to log log n — 3. 

(7) While the lower bound shows that l?(loglogn) shared random bits are nec- 
essary, the proof relies on the fact that the protocol must be zero-knowledge for 
all verifiers. Indeed, our protocol can be easily modified to use only 0(1) shared 
random bits if zero-knowledge is only required against the honest Verifier. 
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Abstract. The standard definition of digital signatures allows a docu- 
ment to have many valid signatures. In this paper, we consider a subclass 
of digital signatures, called invariant signatures, in which all legal signa- 
tures of a document must be identical according to some polynomial-time 
computable function (of a signature) which is hard to predict given an 
unsigned document. We formalize this notion and show its equivalence 
to non-interactive zero-knowledge proofs. 
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1 Introduction 

Currently, due to the lack of proven non- trivial lower bounds on NP problems, 
the theory of cryptography is primarily based on unproven assumptions such 
as the difficulty of particular computational problems such as integer factoriza- 
tion, or more generally the existence of one-way and trapdoor functions. It is 
thus naturally desirable to establish minimal complexity assumptions for basic 
cryptographic primitives, and to establish connections among these primitives. 
Indeed, it has been an active and in many cases successful area of research. For 
example, pseudo-random generators [BM] were shown to be equivalent to the 
existence of any one-way function [ILL, H]. On the other hand, several other 
primitives, such as secret-key exchange seem to require the trapdoor [IR] prop- 
erty. 

Digital signatures have been an especially interesting case in point. Originally 
introduced by Dime and Hellman [DH], the first implementation was based on 
the RSA trapdoor function [RSA] which yields a deterministic signature scheme 
where each document has a unique valid signature. Later, the notion of digital 
signatures which are secure against chosen message attack 3 was formally de- 
fined by [GoMiRi] and proved to exist under a sequence of decreasingly weaker 
assumptions: the existence of claw-free permutations [GoMiRi] (e.g. factoring), 
the existence of trapdoor permutations [BeMi], the existence of one-way permu- 
tations by [NY], and finally the existence of one-way functions by [Ro]. In all of 
these schemes, each document may have many valid signatures. 

The fact that digital signatures can be implemented if one-way functions 
exist without the need for a trapdoor [NY, Ro] is somewhat remarkable, as by 
definition a digital signature seems to posses the essential flavor of a trapdoor 
function: namely, it should be easy for everyone to verify the correctness of a 
signature, while it should be hard for everyone except a privileged user (with 
access to the private file) to sign. In this paper, we study which aspects of digital 
signatures allows for this dichotomy and whether digital signatures can in some 
cases be used in cryptographic protocols instead of trapdoor functions. 

We show that the issue of having many different valid signatures of the same 
document plays a role in the above question. That is, on the positive side, we 

3 Note that RSA does not satisfy security against adaptive chosen message attack as 
there do exist messages for which the signature can be forged. 
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show that digital signatures can sometimes be used instead of trapdoor func- 
tions, provided that all valid signatures of the same document have an invariant 
property which is unpredictable from the document itself. On the negative side, 
we show that this invariant property for a signature scheme may require a trap- 
door for its implementation (unless non- interactive zero-knowledge proofs among 
polynomial-time participants can also be implemented without a trapdoor). 

Invariant signatures are interesting in their own right, as they capture the 
flavor of having a unique valid signature per document as in the case of RSA, 
and yet can be proven secure against adaptive chosen message attack as in the 
case of [GoMiRi, BeMi, NY, Ro]. Achieving these two aspects simultaneously 
may prove valuable in applications. 



1.1 Invariant Signatures 

Let us recall the definition of digital signatures as defined in [GoMiRi]. Infor- 
mally, the setting is as follows: in a network, every user can generate (using a 
polynomial-time algorithm) a pair of keys: the public key and the correspond- 
ing secret key. In addition to the generation algorithm, the signature scheme is 
provided with two probabilistic polynomial-time algorithms: one for signing and 
one for verifying. Given an arbitrary document, a user applies his signing algo- 
rithm to the document, his public key, and his secret key. Given a signature of 
a document, any other user can verify the validity of the signature by applying 
the polynomial time verification algorithm to the signature, document, and the 
public key of the signer. No adversary can forge a signature for a new document, 
even after asking for arbitrary signature samples in an adaptive fashion. 

The additional constraint we put on digital signatures so as to make them 
invariant, is (informally) that there exists a deterministic poly-time computable 
function g computed on signatures such that with high probability (1) for any 
document D and for any two legitimate signatures a± (D) and (*i {D), g(ai (D)) = 
g(<T2{D)) and (2) given D, g(a(D)) is pseudo-random. If the above conditions 
hold we say that the signature scheme is invariant under g. 

Although not the subject of this paper, we suggest that our definition of 
invariant signatures might serve as a good definition for what we may want 
from a finger print of a document: hard to predict for any document even in an 
adaptive setting, dependent perhaps on the time of inquiry, and yet unique. 
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1.2 Non-Interactive Zero-Knowledge Proofs and Digital Signatures 

We investigate the comparative difficulty of non-interactive zero-knowledge proofs 
(N1ZK) [BFM] and digital signatures (T><S) [GoMiRi]. These seemingly differ- 
ent primitives were shown to be connected in a paper by Bellare and Goldwasser 
[BG], where it was shown that the existence of one-way functions and non- 
interactive zero-knowledge proofs implies the existence of digital signatures (se- 
cure against adaptive chosen-message attacks). We remark that the known con- 
structions of non-interactive zero-knowledge proofs with polynomial-time partic- 
ipants use the trapdoor permutations assumption [FLS] , while digital signatures 
can be implemented based on any one-way function [Ro]. 

We show that the existence of invariant digital signatures is equivalent to the 
existence of non-interactive zero-knowledge proofs. That is, we show that while 
a signature scheme in which a document can be signed in an unconstrained plu- 
rality of ways requires the existence of any one-way function, a signature scheme 
in which each document has unique or at least "similar signatures" (according 
to any "nontrivial" poly-time computable function — this is the invariant prop- 
erty!) requires the same assumptions as non-interactive zero-knowledge proofs 
(i.e. currently the trapdoor assumption is necessary). 

More precisely, we consider non-interactive zero-knowledge proofs in the ran- 
dom string model, where users in the system can read a pre-existing common 
(polynomial size) random string set up by the system (a model defined by 
[BFM]). We prove that in this common random string model, the existence 
of invariant digital signatures is equivalent to the existence of non-interactive 
zero-knowledge proofs for any hard to predict NP language (see definition in 
2.2). To prove this theorem we must define invariant signatures in the common 
random string model. 

1.3 A simple example: using digital signatures to achieve 
asymmetry 

Suppose two probabilistic polynomial-time players (Alice and Bob) wish to agree 
on a boolean predicate B(-), so that when later given a randomly chosen x as 
a common input, Bob can not predict B(x) with probability (over x and Bob's 
coin tosses) bounded away from half, but Alice can compute B(x) and convince 
Bob of the value of B(x). Under what assumptions can we implement such a 
protocol? 

Before we examine the above question, let us recall definitions of a one-way 
function and a trapdoor function. Informally, a poly-time computable function 
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/ is one-way if when we pick x uniformly at random and compute y «- /(x), 
it is infeasible for any polynomial time machine to find x' in f~ 1 {y) for a non- 
negligible fraction of the instances. Again informally, a trapdoor function, is a 
one-way function with an additional secret key, the knowledge of which makes 
inversion easy. 



Assuming the existence of one-way trapdoor permutations, Alice and Bob 
can achieve the above task. In particular, they can agree on a trapdoor one-way 
permutation (/, / _1 ), so that Alice knows (/, f~ l ) and Bob knows only /. In 
addition, they agree on a hard-core [GL] bit B(-) for /. (Notice that Alice and 
Bob must make sure that / is really a permutation for B(-) to be well defined.) 
Subsequently, when x is given, Alice can invert / and compute a hard-core bit, 
while Bob can not. 



Can we achieve the above task using one-way functions which are not trap- 
door? Let us examine if digital signatures (which do not need trapdoor in their 
implementation) might be useful. 

At first glance, to implement a simple protocol specified above could be done 
using digital signatures as follows: Alice prepares a public and a secret key (of a 
signature scheme), gives her public key to Bob and convinces him that her public 
key is produced using an appropriate key-generation algorithm. Moreover, they 
agree on a hard-core bit B of a signature for any document x' . Notice that given 
x and a public key of Alice, the signature of x is hard to find for any polynomial- 
time player, and thus Bob can not predict the hard-core bit of a signature of x, 
while Alice can easily compute it. Since we can implement signatures based on 
one-way functions (without the trapdoor) it seems that we can implement the 
above protocol without the trapdoor... What is wrong in this argument? 

The problem, is that this bit is not well defined. That is, the specification of 
digital signatures allows for many legal signatures of x. However, if we put an 
additional constraint on the digital signature scheme, then the above argument 
will go through. The additional constraint is to have an invariant signature 
scheme (as above). Then, to implement the above game, Alice can use a hard- 
core bit of g(cr(D)) (where all signatures of D are invariant under g) and the bit 
is well-defined. Thus, notice that invariant digital signatures can be used in the 
above setting instead of a trapdoor function. 
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2 Model and Definitions 

2.1 Negligible, noticeable and infeasible functions 

We use the usual 0,o and l/o(l) (asymptotically tending to oo) notation. We 
fix some function s(n) = n l /°^ and call it infeasible. We call e(n) = l/s 0 ^^(n) 
negligible and 6(n) = l/0(n c ),c > 0 noticeable. In this case, n is a security 
parameter, which we omit when clear from the context. We use standard defini- 
tions of one-way functions and computationally indistinguishable distributions 
(see, for example, [GL, ILL, H]). If 5 is a probability space then x 4- S denotes 
the algorithm which assigns to x an element randomly selected according to S. 
For probability spaces S, T, . . ., the notation Pr(p(x, y,---) : x 4- S;y 4- T; ■ ■ ■) 
denotes the probability that the predicate • ■) is true after the (ordered) 

execution of the algorithms x 4- S, y 4- T, etc. The notation {/(x, J/, • ") '■ % 4- 
S; y 4- T; ■ ■ •} denotes the probability space which to the string a assigns the 
probability Pr(cr = f(x, y. ■ • ■) : x 4- S; y 4- T; • • •), / being some function. If S 
is a finite set we will identify it with the probability space which assigns to each 
element of S the uniform probability j^j. (Then x 4- S denotes the operation of 
selecting an element of S uniformly at random). 

2.2 Non-Interactive Zero-Knowledge (AfTZK) Proofs in the 
Common Random String Model 

Non-interactive zero-knowledge proofs were introduced in [BFM]. We note that 
this is where the "common random string model" was introduced as well. 

Common random string model: at the time of the system set-up a string 
of a fixed (polynomial in the security parameter) length is chosen uniformly at 
random and published by a trusted center for everyone in the system (provers, 
verifiers, users etc.) such that it can be read but not modified. 

Informally, a NXZK. proof of an j\'V statement in a common random string 
model is a way for any polynomial-time user to convince other users that some 
statement is true without revealing anything else. That is, given a common 
random string, and a witness to an MV statement, there should be a probabilistic 
poly-time algorithm (for the prover) which constructs a proof of that statement, 
and a probabilistic poly-time algorithm (for the verifiers) to check that the proof 
is correct. Moreover, such proof should not reveal anything about the witness. 

Formally, the following definition is essentially taken from [BDMP]. 
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Definition 1. We fix an AfV language L (with poly-time relation p(-,-) and con- 
stant d such that x e L iff 3w, \w\ < \x\ d , p(x, w) = 1.) We say that two probabilis- 
tic polynomial-time algorithms {prover{-, ■, •), verifier{-, •, ■)) constitute bounded 
MXZK for language L if the following conditions are satisfied: there exist a poly- 
nomial I such that 

Completeness: For all x € L, |x| = ra, sufficiently large n, and e negligi- 
ble, where w is such that \w\ < n d and p{x,w) = 1, the 
PT(verifier{x,w,c) = accept : c «- {0, 1}'^;?/ <- prot/er(i,w,c)) 
> 1 - e(n). 

(Here, c is the "common random string", id is the NP wit- 
ness, and y is the output of the prover which is computed non- 
interactively. The probability is taken over the choice of c and 
the prover's coin tosses). 
Soundness: For all probabilistic polynomial-time players prover', x & L, 
\x\ = n, for sufficiently large n, and negligible e, the 
^{verifier (x, w, c) = accept : c <- {0. l} i(n) ;j/ «- prover' (x, c)) 
< c(n). 

(Here, the probability is taken over the choice of c and prover's 
coin tosses). 

Zero-Knowledge: There exists a probabilistic expected polynomial-time algorithm 
S{-, •) such that for all x 6 L, \x\ = n, and w such that < n d 
and p(x } w) = 1, for all probabilistic polynomial time algorithms 
D, for all sufficiently large n, the 

\Pv(D(c,x,y) = 1 : c <- {0, l} l{n) ;y <- prover (x,w,c))- 
Pr(£>(c, x, S{x, c )) _ 1 : c <_ {0, < e (n) 

In the above c is called the "common random string" , and I the length of the 
common random string. 



REMARKS: 

- One difference from above definition to [BDMP] is that we impose the 
soundness condition only on probabilistic polynomial-time prover's.. This 
is not actually necessary as known constructions achieve soundness against 
all prover's. However, as in the context of this paper we show equivalence to 
a digital signatures in which a reasonable forger to consider is probabilistic 
polynomial time, we relax the soundness requirement here as well. 
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— The above definition is specified for a single theorem of a fixed polynomial 
size. This bounded MXZfC definition can be extended to polynomially- 
many theorems each of polynomial length and to many users in the roles 
of both provers and verifier. This is the notion of XX ZK we adopt here. 
To modify the above definition to accommodate this extension, we must 
require (as in [BDMP]) the existence of many pairs of prover l , verifier i for 
which completeness and soundness are true, and change the zero-knowledge 
condition as follows. 

[Zero-Knowledge':] There exists a probabilistic expected polynomial time 
algorithm S such that for all2i,£2, • • ■ € L(~){0, l} n , where \w1\Aw2\, ■■• < n d 
and p(ii,tui) = 1, p(x2,W2) = 1, . • ., for all probabilistic polynomial time 
algorithm D, for all sufficiently large n, for all negligible e, 
| Pr(D(c, (xi,j/i), (£2,2/2), • • •) = 1 : c <- {0,l} lin) ;yi +- proven (xi , w i , c); 
y 2 «- prover 2 {x2,W2,c); . . .) - 

Pt{D(c,( Xi ,S(xi,c)),(x2,S{x 2 ,c)),. . .) = 1 : c <- {0,l} ,(n) )l < «(n). 

- Another aspect of XXZK, is a preservance of zero-knowledge in an adaptive 
setting, which means that even after requesting polynomially-many proofs 
one by one, the probability for polynomial-time Adv (over its coin-flips) of 
being able to distinguish an NIZK proof of a new theorem from the run of the 
simulator is negligible. Notice that if XXZK. proofs remains Zero-Knowledge 
even in an adaptive setting, then the statements may be dependent on the 
previous proofs and on the common random string. From now on, when we 
refer to XXZK, we refer to XXZK which is secure in an adaptive setting. 
To modify the above definition to accommodate this extension we further 
refine the zero knowledge condition as follows. 

[Zero-Knowledge":] There exists a probabilistic expected polynomial time 
algorithm 5 such that for all polynomial time Adv, for all probabilistic poly- 
nomial time D, for all sufficiently large rc, for all negligible e, 
\Pt(D(c,(x u yi ),(x2, 2/2),-..) = 1 : cf- {O.iyW;*! ^ Adv(c); 
y 1 <- prover 1 (x 1 ,wi,c);x2 <- Adv(c,Xi,yi);y-2 <- prover 2 {x2, u>2,c); . . .) - 
Pr(X3(c, (x u S(x u c)), (x 2 ,S(x 2 , c)), . . .) = 1 : c <r- {0, l}'( n >; x x Adv(c); 
yi *- S(x 1 ,c);x 2 i- Adv{c,x u S(x u c));y2 S{x 2 ,c); . . .)| < e(n). 

- We note that in our setting, provers are polynomial-time machines. 

— An additional property of MXZK that we must stress is of being publically 
verifiable MXZK proof system, which means that the proof can be verified by 
any polynomial-time machine which has access to a common random string. 
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In [BFM, DMP1, BDMP] it was shown how NlZJC could be implemented, 
based on algebraic assumptions. In [DMP2, KMO] the NTZK was implemented 
based on the general complexity assumptions and without a common random 
string, but at a price of a small pre-processing stage, which was interactive. 
Finally, in [FLS] it was shown how AflZK could be implemented without pre- 
processing, based on (verifiable) trapdoor one-way permutations. (In [BY], they 
show how verifiability requirement could be implemented based on trapdoor 
one-way permutations). Moreover, in [FLS] it was shown how to convert AflZK, 
into publically- verifiable and adaptively secure (see remarks above) AflZK proof 
system. Again, we mention that it is not known how the assumptions (of one-way 
trapdoor permutations) could be reduced further. 

Definition 2. We say that a language L is hard to predict if there exist a proba- 
bilistic polynomial time algorithm 5(1") (which samples X G {0, 1}") such that 
for every probabilistic polynomial-time algorithm Adv, for all sufficiently large 
n and for all negligible e, the probability (over S and Adv coin tosses) that Adv 
can correctly decide if X £ L is less then | + e(n). 

REMARK: The above definition can be modified as follows: we say that a 
language L is sometimes hard to predict if there exist a probabilistic polynomial 
time algorithm 5(1") (which samples X € {0,1}") such that on a noticeable 
fraction H of S(l n ), for every probabilistic polynomial-time algorithm Adv, for 
all sufficiently large n and for all negligible e, the probability (over S and Adv 
coin tosses) that Adv on X in H can correctly decide if X € L is less then 
| + e(n). 

Definition 3. We say that nontrivial AflZK exists, if there exists a (sometimes) 
hard to predict L € AfV which possesses an AflZK proof system. 

We note that the existence of AflZK proofs for (sometimes) hard to predict 
L implies the existence of one-way functions [OW]. 

2.3 Invariant Digital Signatures (lAfV - VS) 

The formulation of the digital signatures of [GoMiRi] allows any document to 
have many valid signatures (i.e. accepted by the signature verification algorithm 
as valid) of the same document. For invariant signatures we make the additional 
requirement that all valid signatures of the same document be "similar", that 
is, there exists an easy to compute function defined on signatures which yields 
the same value for all signatures of the same document. This function should 
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be hard to compute from the document itself with access to the public key (but 
without access to the secret key). 

In the following definition we incorporate the possibility that a common 
random string c was published by a trusted center at the time of a system set 
up for everyone in the system (signers and verifiers) to read but not to modify. 
This is similar to the set up of NIZK (see previous section). The definition of an 
invariant digital signature scheme can be made in the standard model as well 
(without the presumption of the existence of c), but as in this paper we show 
the equivalence of invariant signatures and NIZK in the common random string 
model, we present the definition of invariant digital signatures in this model. 
The polynomial l(n) will denote the length of the common random string with 
security parameter n. 

Definition 4. An invariant signature scheme ir is a quadruple (G,S.V,g) 
such that the following conditions hold: let I be a polynomial function 

G: is a probabilistic poly-time computable algorithm (the "key gen- 
eration" algorithm) which on input 1™ (the security parameter), 
c G {0, l}'( n ) (the common random string) outputs a pair of strings 
{secret-key, public-key). We let the random variables Gi(l n ) de- 
note the first output and (^(l 71 ) the second output. (Wlog we let 
|Gi(l n )| = \G 2 {l n )\ = n. The probability is over c <- {0,l}' (n) 
and G's coin tosses.) 

S: is a probabilistic poly-time computable algorithm (the "signing" al- 
gorithm) which on input strings 1", c G {0,1}'^™^ (the common 
random string), D € {0,1}* of length polynomial in n (the docu- 
ment), and a pair of strings {secret— key, public— key} in the range 
of G(l n , c) outputs a string. The output is referred to as the "signa- 
ture" of D (with respect to public - key and c). When the context 
is clear we let cr(D) denote an output of S(l n , D, G{l n , c), c). 

V: is a probabilistic poly-time computable algorithm (the "verification" 
algorithm) which receives as inputs the strings l n (the security 
parameter), D e {0, 1}* of length polynomial in n (the document), 
s (the presumed signature of D), c e {0, l}'( n ) and public — key £ 
G2(l n ), and outputs either true or false. We require that for all D 
in n, the Pr(V(l n , D, s, public - key, c) = true : c <- {0, 1}'^; 
{secret - key, public - key} <- G{l n ,c);s «- S(l n ,D, {secret - 
key, public - key},c)) = 1 
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(Namely, signatures produced by the signing algorithm S are 
always accepted by the verifying algorithm V for any pair of public 
and private keys produced by key generation algorithm G). 
If V(l n ,D,s, public-key, c) = true then we say that s is a "valid" 
signature of D (with respect to public - key and c). 

security: Let F be a probabilistic poly time forging algorithm which receives 
as input the strings l n , c € {0,l}'( n ), and public- key € G 2 (l n ); 
can request and receive signatures with respect to public — key 
and c of polynomially-many adaptively chosen documents {Di\ and 
finally outputs a pair of strings (D,s). Then, for all such F, for all 
sufficiently large n, for all negligible functions e, the probability that 
F outputs (D, s) where D £ {-D;}, and s is a valid signature of D 
with respect to public - key and c is less than e(n). 

(The probability is taken over the outcome of G, signatures of 
D u and the coin tosses of F). 

invariant function <?(•, •): is a polynomial time computable function which 
takes as input strings l n and s (when clear we use notation g(s) 
for g(l n ,s)) and produces as output a string t € {0,l} r ^ where 
r is a fixed polynomial, such that: 

invariance Let Adv be a probabilistic polynomial-time algorithm which re- 
ceives as input strings l n , c € {0, l}' (n) , and produces as out- 
put the tuple (public — key, D, <J\(D) , o<2{D)) where public — 
key € {0, l} n , and oi(D) and <t 2 (D) are both valid signatures 
of D with respect to public — key and c. Then, for all such Adv, 
for all public — key G {0, l} n , for any negligible e, and for suf- 
ficiently large n, the probability that g(a\{D)) ^ g(a 2 {D)) is 
less than e(n). 

(Here the probability is taken over c •(- {0, l} 1 ^, and the coin 
tosses of Adv. ) (Note, that the definition implies that even the 
honest signer who has access to the secret key can not produce 
two signatures of the same document for which g is not the 
same with non-negligible probability. ) 

pseudo-randomness Let Adv be a probabilistic polynomial time algorithm which 
operates in two stages on input strings l n , c € {0,1}^, and 
public - key £ C? 2 (l n ). In the first stage Adv can request 
and receive signatures with respect to public — key and c of 
polynomially-many (in n) adaptively chosen documents {Di}. 
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At the end of the first stage, Adv outputs a polynomial length 
string D not in {Di}. In the second stage, Adv is presented with 
a string t on which it outputs 0 or 1 (we let Adv(t) denote the 
output bit). Let a = Pr{Adv{t) = 1 : c «- {0, l} !(n) ; {secret- 
key, public- key} f- G{l n , c); 5 4- 5(1", D, [secret-key, public- 
key), c); t 4- g(s)) and let j3 = Pv(Adv(t) = 1 : i <- {0, l} r{n) ) 
Then, for all Adv, for all negligible e, for all sufficiently large 
n, | a - /3| < e(n). 

We call 5 the invariant function of the signature scheme, and 
/ the length of the invariant function. 

REMARK: We note that in the above definition the invariant property holds 
for any public file public - key, and not just over G2(l n )- This requirement 
ensures that invariant property holds for any public key, even a maliciously 
chosen one, and avoids problem pointed out in [BY] of lack of certification in 
[FLS]. 

The most important aspect of invariant signature scheme for our application is: 

Lemma: If tt = (G,S,V,g) is an invariant signature scheme, then there exists a 
polynomial time computable Boolean predicate P which on input 1" and s, outputs 
0 or 1 such that the following conditions hold: 

1. "P is invariant for all signatures of a document ": Let Adv be a probabilistic 
polynomial-time algorithm which takes as input strings c G {0,1}'^, and pro- 
duces as output {public- key, D,ai{D),a2(D)) where public-key G {0,1}™, 
<7i(jD), (T2{D) are valid signatures of D with respect to public-key and c. Them 
for all Adv, for all public - key, for all negligible e, for all sufficiently large n, 
the probability that P(cr 1 (D)) ^ P{a 2 {D) is less than e(n). (The probability is 
taken over c <- {0, l}'( n ) and coin-tosses of Adv) 

2. "P is unpredictable from D": Let Adv be a probabilistic polynomial time algo- 
rithm which receives as input strings 1", c e {0, l} l( - n \public - key e G 2 {l n ); 
can request and receive signatures with respect to public-key and c of polynomially- 
many (in n) adaptively chosen documents {Di} ; and finally outputs a polyno- 
mial^ length string D not in {Di} and a bit b. Let a = Pr(6 = P(t) : c <- 
{0, l} /(n) ; {secret - key, public - key} 4- G(l n ,c);s <- S{l n , D, {secret - 
key, public - key},c);t <- g{s)). Then, for every Adv, for every negligible e, 
and for all sufficiently large n, \a - || < e(n). 

We refer to the predicate P as, the invariant property of it. 
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This lemma follows immediately from the definition of invariant signature scheme. 

REMARK: We must stress that digital signatures of [GoMiRi, BeMi, NY, Ro] 
are not known to be invariant in the above sense. In fact, while honest signer can 
sign in some predetermined (in fact, deterministic [G]) way, there exists many 
valid signatures for the same document which bear no similarity to each other. 
In contrast, invariant signatures require all valid signatures of a document to 
be "similar" according to some polynomial time computable function which is 
unpredictable from the document itself. 

3 Preliminaries 

Before we show the equivalence between the existence of ,VI2X and lA'V - VS, 
we review necessary ingredients of [F'LS] and [BG] scheme. 

3.1 Where Feige-Lapidot-Shamir use Trapdoor? 

The [FLS] solution for MXZK. for MV when the participants are polynomial- 
time requires the assumption that trapdoor permutations exist. This assumption 
is not necessary throughout their construction. In fact, the only place where the 
trapdoor property is used is to construct a "hidden random string" . In particular, 
they show how to use a common random string in order to get a "hidden random 
string" as follows: 

- prover picks a trapdoor one-way permutation (/, and sends to the ver- 
ifier the code of /. In addition, let B be a hard-core predicate associated 
with / [GL]. 

- A common random tape can be interpreted as a sequence of (yi , j/2 , • ■ • , Vm J ; 
with each \yi\ of length n (a security parameter of /). Then hidden random 
string is defined as: (B(r 1 (yi)),B(f- 1 (y 2 )), . . . ,B(f- l (y m ))), where B(-) 
is a hard-core bit [GL], Notice that since / is a permutation, the hidden 
random string is well-defined 4 . Notice that since / is a trapdoor permutation, 
the polynomial time prover can compute f~ 1 {yi). 

4 In [FLS] it is assumed that / is a verifiable permutation. That is, verifier can check 
that it is a permutation by inspecting the code of /. In [BY], this is extended to 
arbitrary trapdoor one-way permutations. 
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Using different /'s the prover can construct new hidden random bits (for each 
new theorem). Thus, they show how assuming a common fixed (polynomial 
length) random string and the existence of a trapdoor one-way permutations, a 
jVXZK. which is publically verifiable and Zero-Knowledge (in an adaptive set- 
ting) can be constructed for ■ 

3.2 Bellare-Goldwasser Signature Scheme 

In [BG], it is shown how assuming publically verifiable non-interactive zero- 
knowledge proofs and pseudo-random functions of [GGM], a signature scheme 
can be constructed. (As was shown by [GGM], pseudo-random functions can be 
based on any one-way function.) 
We outline their scheme below: 

Stepl: The signer chooses at random a seed s for a pseudo random 
function F„(-) and publishes an encryption E(s) along with the 
public information necessary to verify jVXZK, proofs (i.e., the 
random string etc.) as his public key, and keeps s as his secret 
key. 

Step2: The signature of a document D is the value v = F 3 (D) together 
with an jSfXZK, proof that indeed v was computed correctly. 

We remark that in their construction the public-key contains the random 
string which is necessary for the signer for producing .K'XZK proofs. Since the 
signer serves here in the role of the prover, and it is to his advantage to chose 
the random string truly with uniform probability (else the chance of a successful 
forgery increases) the random string is made part of the signers public key rather 
than part of the systems choice. 

In what follows, we will use a similar scheme except that the random string 
needed by the MXZK proof system will be specified by the system as a common 
random string. 

4 The Equivalence of NIZK and INV-DS 

Recall that when we say that nontrivial k'XZK exist, we mean that MXZK, 
proof system exist for some hard to predict language L. First, we state our main 
result: 

MAIN THEOREM: XNV - VS exist if and only if nontrivial MXZK exist. 
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Proof outline: We prove our main result in two parts: (1) lA/'V — VS imply 
the existence of nontrivial NXZKL; (2) nontrivial MXZK. imply the existence of 
XJsfV - VS; 

First, we prove (1). We claim that digital signatures (and, hence, 1MV - VS) 
already imply the existence of a one-way function [Ro]. Thus, it remains to show 
that based on XMV — VS and the existence of one-way functions we can con- 
struct MXZK for some hard language. Assuming that one-way function / exist, 
we can construct a hard language in a straight-forward fashion. For example, 
let L f = = 1}, where B is hard core bit for / [GL]). We now 

give intuition for the fact that ZA/V — VS imply jVZZIC in the common random 
string model. 

Let us first consider the case of one theorem N'TZK, with the common 
random string R = [yi, ■ ■ ■ ,y m )- To specify a hidden random string H = 
(bi, . . . , b m ), instead of using a trapdoor function (i.e, b % = B {f~ 1 (yi)) where B 
is a hard core bit as in section 3.1) the intuition is to use digital signatures (i.e., 
bi = P{a(yi)) where P is some boolean function of the digital signature of yt). 
Clearly, this intuition is correct if indeed for every t/j there exists a unique fixed 
boolean value b l computable from any valid signature of j/i. Unfortunately, this 
is not the case for digital signatures in general [GoMiRi, BeMi, NY, Ro]. We re- 
mark that if it were true, then we could have implemented HXZK, based on any 
one-way function instead of one-way trapdoor permutations as currently known. 
However, the above intuition is true for invariant digital signatures with high 
probability. That is, for invariant signatures it is the case that for all y x there 
exist some invariant function g denned over the signatures cr(yi), and therefore 
an invariant Boolean predicate P denned over the signatures er(yi). 

Now, let us consider the case for many theorems. In this case, we need differ- 
ent hidden random strings for each new theorem. Thus, how do we extend the 
above intuition to obtain many hidden random strings for different theorems? 
(Recall that the solution of [FLS] was to pick a new trapdoor 1-way permutation 
/ for each new proof so that a common random string (yi,y2, . . . ,y m ), defines a 
hidden random string (B{f- 1 {y 1 )),B{f' 1 (y 2 )), . . . , B(f- l (y m ))). The solution 
here is simple: when proving the i'th theorem T z we use as a common hidden 
random string the sequence: (P(a(yi + i)),P{o(y 2 + i)), P{cr{y m + i))). By 
adding a new % when proving each new theorem, we note that each new hidden 
random string is unpredictable even when given proofs of all the previous the- 
orems. This is so, since the definition of ZA/'V - VS requires that the hard bit 
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P(cr(y + i)) be unpredictable in the adaptive setting (i.e., even if for all j < i, 
P{?{y + j)) is given.) 

We are now ready to outline how to use an XMV — VS to construct a M XZK, 
for an NV language. Let n be a security parameter and nm is a length of a com- 
mon random string (where m is as specified in [FLS]). (1) Run key-generation 
algorithm for XNV - VS m times and publish all m public keys as a "com- 
mon" public key; (2) Keep a counter i (initialized to 0) of the number of the- 
orems proven so far. (3) to prove theorem T r utilize (P(cr(yi + £)), F(ct(j/2 + 
i)), . . . , P(a(y m + i))) as a hidden random sequence of the [FLS] construction. 

Note that the completeness follows from that fact that both P and a are 
efficiently computable, and the rest of the protocol is analogous to [FLS]. The 
soundness holds since the signature scheme we are using is invariant, and hence 
any particular choice of i with high probability specifies uniquely a hidden ran- 
dom string. Thus, for a sufficiently long random string, even if prover picks an 
arbitrary (but polynomially-bounded) i the conditions that at least one "block" 
has a property required by [FLS] proof do hold with very high probability (over 
common random string chosen with uniform distribution) . The Zero-Knowledge 
property holds due to the fact that if the adversary can distinguish the .\fXZK 
and the simulator then [FLS] show that such a distinguisher can be turned into 
a good predictor of a hidden random bit. (The idea there is to use witness- 
indistinguishable proof that either the graph is Hamiltonian or that the first 2n 
random bits of the common random string a pseudo-random and are produced 
from a seed of length n. Exploring properties of witness-indistinguishability [FLS] 
show that the distinguisher of the simulator can be turned into a distinguisher for 
a pseudo- random generator or into a predictor of a hidden random bits.) In our 
construction, predicting a hidden random bit provides us with predictor of the 
invariant property, which by definition enables us to to forge a XMV - VS for 
some new D' . Since our signature scheme is secure against existential adaptive 
chosen-message attacks, we get a contradiction. 

In order to show (2), we first note that A r XZfC for hard to predict L imply 
the existence of one-way functions [OW]. Hence, we must show that assuming 
one-way functions and MXZK. proofs is sufficient to construct XMV — VS. This, 
however, is essentially established for us by [BG] with the following modification 
of their construction. The idea is to make sure that E(s) (of [BG] Step 1) uniquely 
specifies s, i.e., is a commitment to s. If this is the case, then for any document 
D, F a (D) (of [BG] Step 2) is uniquely defined, and the invariant function will be 
simply F 3 (D). Any bit of F S (D) can be used as a hard-core bit for the invariant 
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predicate P (as discussed in the section on the definition of invariant signatures) . 

Now, we specify how to perform step 1 of [BG], based on any one-way func- 
tion. In order to commit to a seed s, consisting of bits s 1; s 2 , . . . , s n , the player 
commits to each bit Si separately using a modification of Naor's scheme [N]. 
(The scheme of [N] is interactive, in which the player who receives committed 
bits (called Bob) chooses a random string during the conversation) . In our pro- 
tocol, the challenges of Bob are substituted by a (dedicated for this purpose) 
portion of the common random string. Following through an argument analo- 
gous to [N] shows that this scheme uniquely determines s with overwhelming 
probability (over uniformly distributed common random string), and hence we 
can use the proof of security presented in [BG] here as well. Hence we are done 
with (2). D 
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Abstract 

In this paper, we investigate the discrepancy between a serial version and a parallel version 
of zero- knowledge protocols, and clarify the information "leaked" in the parallel version, which 
is not zero-knowledge unlike the case of the serial version. We consider two sides-, one negative 
and the other positive in the parallel version of zero- knowledge protocols, especially of the 
Fiat-Shamir scheme. 



1 Introduction and motivation 

The notions of interactive proofs and zero knowledge were introduced by Goldwasser, Micali 
and Rackoff [GMR]. Fiat and Shamir [FiS] exhibited a practical identification scheme, which 
is zero-knowledge, based on the intractability of the factorization. 

A common weakness in such zero-knowledge protocols is that the protocols require many 
iterations of a basic (three move) protocol, then such zero- knowledge protocols are not efficient. 

The straightforward parallelization of the basic protocol decreases the round complexity 
of the protocols. However, a problem on the straightforward parallelization of zero-knowledge 
protocols is that a technique of the proof of zero-knowledge in the serial version, so called 
resettable simulation, fails in the parallel version. 

Feige, Fiat and Shamir [FSS] showed that the parallel version of the Fiat-Shamir identifi- 
cation scheme releases no "useful" knowledge that could help the verifier to impersonate the 
prover within the identification system. 

On the other hand, Goldreich and Krawczyk [GKr] observed that non zero-knowledgeness 
is an intrinsic property of the three move protocols, and showed that the parallel version of the 
Fiat-Shamir scheme is not zero-knowledge unless the factorization is tractable. 

Our motivation of this study is derived from these contradictive results on the security of 
the parallel version of the Fiat-Shamir scheme (generally, the three move protocols). 

Some researchers characterize the security of the parallel execution of the Fiat-Shamir type 
identification scheme [FSS, FeS, OhOk'88, BM]. However, none has investigated what kind of 
information is leaked by the parallel version or how useful these knowledge is for the verifier. 

In this paper, we investigate the essential discrepancy between the serial version and the 
parallel version of the Fiat-Shamir scheme (more generally, zero-knowledge protocols), and 
clarify properties which the parallel version has but the serial version does not have. 
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Our main observation is that the information "leaked" in the parallel version of the Fiat- 
Shamir identification scheme is closely related to a digital signature which is a modification 
of the Fiat-Shamir identification scheme, and the parallel version of zero-knowledge protocols 
leave a trace. 

Furthermore, we consider two sides of the discrepancy, one negative and the other positive. 

Organization of this paper 

In section 2, we give the definitions and overview the Fiat-Shamir scheme. In section 3, we 
consider the reason why straightforward parallelization fail to be zero-knowledge. In section 
4, we point out abuses of the parallel version. In section 5, we positively apply the parallel 
version. Finally, we conclude with future topics. 

2 Preliminaries 

In this section, we give some definitions on zero-knowledge [GMR] and overview of the Fiat- 
Shamir scheme [FiS, FSS]. The reader who is familiar with these topics may skip this section. 

2.1 Notation and Definitions 

Our model of computation is the interactive probabilistic Turing machines (both for the prover 
P and for the verifier V) with an auxiliary input. The common input is denoted by x and, and 
its length is denoted by jr| = n. We use v(n) to denote any function vanishing faster than the 
inverse of any polynomial in n. More formally, 

Vfc £ N 3n 0 s.t. 'in > n 0 0 < v(n) < ~. 

TL 

We define negligible probability to be the probability behaving as v(n), and overwhelming 
probability to be the probability behaving as 1 — v[n). 

Let A{x) denote the output of a probabilistic algorithm A on input x. This is a random 
variable. When we want to make the coin tosses of .4 explicit, for any p £ {0, 1}" we write Alp] 
for the algorithm A with p as its random tape. Let Vp(x) denote V's output after interaction 
with P on common input x, and let M(x\ A) (where A may be either P or V) denote the output 
of the algorithm M on input z, where M may use the algorithm A as a (blackbox) subroutine. 
Each call M makes to A is counted as a single computation step for M. 

Definition 2.1 [GMR]: An interactive proof for membersJiip of the la.ngua.ge L is a pair of 
interactive probabilistic Turing machines (P, V) satisfying: 

Membership Completeness: If x belongs to L, V accepts P's proof 
with overwhelming probability. Formally: 

Vz £ L Prob(V P ( x ){x) accepts) > 1 - v(\x\), 

where the probability is taken over all of the possible coin tosses of P 
and V. 

Membership Soundness: If x does not belong to L and P" may act 
in any way, V accepts P~ s proof with negligible probability. Formally: 

Vz £ LVP" PTob(V P . {l) (x) accepts) < u{\x\), 

where the probability is taken over all of the possible coin tosses of P" 
and V. 
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It should be noted that P's resource is computationally unbounded, while V's resource is 
bounded by probabilistic polynomial time in '.x\. 

Definition 2.2: Let R be a relation {(z,u>)} testable in BVV . Namely, given i and uj, 
checking whether (x,w) g R is computed in probabilistic polynomial time. For any x, its 
witness set w(x) is the set of w such that (x,w) € R. 

Definition 2.3 [FSSj: An interactive proof of knowledge for the relation R is a pair of 
interactive probabilistic Turing machines (P, V) satisfying: 

Knowledge Completeness: For any (x, w) £ R, V accepts P's proof 
with overwhelming probability. Formally: 

V(z,ui) G R Prob(V P ( IiVI )(z) accepts) > 1 - i/(\x\), 

where tie probability is taken over all of the possible coin tosses of P 
and V. 

Knowledge Soundness: For any x, for any P~ , P" can convince V to 
accept only if he actually "knows" a witness for x g dom R. An expected 
polynomial time knowledge extractor M is used in order to demonstrate 
P"s ability to compute a witness. Formally: 

Va3JW VP* Vz Yu/ Vp 

ProbiVp^i^ ^^x) accepts^ > l/\x\" 

Prob(\f(x: P'\p\{x, ui')) € w(x) ) > 1 - u(\x\), 

where the probability is taken over all of the possible coin tosses of M 
and V . P' is assumed not to toss coins, since his favorable coin tosses can 
be incorporated into the auxiliary input w' . The knowledge extractor AI 
is allowed to use P~ as a bjacicbox subroutine and runs in expected poly- 
nomial time. Each message that P" sends M costs a single computation 
step for M . 

Note that both P's and V's resource are bounded by probabilistic polynomial time in \x\. 

We recall that the view of the verifier is everything he sees during an interaction with the 
prover, that is, his own coin tosses and the conversation between himself and the prover. 

Definition 2.4 [GMR]: Let (P, V) be an interactive protocol and lei x £ {0, 1}*. The view 
of V on input x is the probability space 

VIEWwfa) = {(R, C):R~ {0, 1}*' 111 ; C - (P ~ V'{R])(x)}, 

where p is a polynomial bounding the running lime of V , and (P <-+ V'[R])(x) denotes the 
probability space of conversations between P and V[R] on input x (the probability is taken 
over all of the possible coin tosses of P). 

Denote by Time v p (x) the running time of machine V when interacting with P on input x. 

Definition 2.5 [GO]: An interactive proof system (P, V) of knowledge for the relation R is 
blackbox simulation perfect zero knowledge if there exists a universal simuiator Su which runs in 
expected polynomial time, such that for every polynomial Q and any pair (x,y,V) such that 
(x,y) € R and Timep',^(x) < Q('x[), 5u(i;V(e)) is exactly identical to V I E\\\ P ^)y>)(x) . 
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Formally: 

aSttVQVaVyW t.t. {x,y) £ R k Time$ {y) (x) < Q(\x\), 
VIEW (PM ,v>)(x) = 5 u (x; V\x)). 

Blaekbox simulation zero knowledge represents the strongest notion of zero knowledge 
among the types of the simulation (e.g. auxiliary input zero- knowledge [GO]) although all 
known concrete zero knowledge protocols are in fact blackbox simulation zero knowledge. Thus 
these definitions above are reasonable and never too restrictive. 

Throughout this paper, we use a term "zero knowledge" in the sense of Hackboz simulation 
zero knowledge. 

~K (resp. B) represents the real prover (resp. verifier) who follows its designated protocol. 
A represents a polynomial time cheater who does not posses* the witness (or secret) but can 
derive from the protocol in an arbitrary way. B represents an arbitrary polynomial time verifier 
who tries to extract additional information from A. 

Definition 2.8 [FSS]: The protocol (A,B) releases no transferable information if: 

1. It succeeds with overwhelming probability. 

2. There is no coalition of A, B with the property thai, alter a, polynomially many number 
of executions of (A,B) it is possible to execute (A, 2?) with a non negligible probability 
of success. 

Ohta and Okamoto [OhOk'88] defined rigorous notions on "revealing no transferable infor- 
mation" . 

For more precise definition of no transferable that is suitable for the identification system, 
see the journal version of the reference [FSS]. 

2.2 The Fiat-Shamir scheme 

Fiat and Shamir [FiS] exhibited a practical identification scheme and a signature scheme that 
are provably secure if factoring is difficult. We overview their scheme. 

Flat-Shamir identification scheme (FSIS) 

1. Preprocessing stage between the trusted center and each user 

The unique trusted center's secret key in the system is (p, q), and the public key is If, where 
p,q are distinct large primes, N = p x q. The center generates user A't secret key >a, where 
l/»A — ~/Ta (mod N). Ia is the identity of user A and is published to other users. 

2. Identification stage between user A and use*. B 

Repeat step (a) to (d) t times. 

(a) The user A pick* r €r Zy, and sends x = r 2 (mod N) to a user B. 

(b) The user B generates e €r {0, 1}, and sends e to the user A. 

(c) The user A sends y s i\r (mod N) to the user B. ^ 

(d) The user B checks that s = y*I\ (mod N). If the check is not valid, the user B quits the 
procedure. 

The user B accepts A't proof of identity only if all t round checks axe successful. 

Remark 2.7> In the parallel version of the protocol above, A sends B all the (i — l,...,t) 
simultaneously, then B sends A all the e< (i = 1,. . ., f), and Anally A sends all the (i = 1, . . . ,t) to 

B. 
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Furthermore, Fiat and Shamir modified the identification scheme above into a non-interactive 
digital signature scheme by replacing the verifier B's role by the prover with a pseudo-random 
function /. 

Fiat-Shamir digital signature scheme (FSDS) 

1. Preprocessing stage between the trusted center and each user 
Same as the preprocessing stage in FSIS. 

2. To sign a message M : 

The user A picks r; 6 R Z'f, (t = l,...,t), and calculates x t = r 2 (mod N) (i = l,...,t), 
f(M, z\, . ■ ■ , it) and sets its first ( bits to e; (i = 1, . . . , f). Furthermore, the user A computes 
Si = j e ''r; (mod N) (i = 1, . . . , t) and sends M, e ; , y ( (t = 1, . . . , l) to the user 3. 

3. To verify A's signature on U : 

The user B calculates z; = y'l^' (mod TV") (:' = l,...,t), f(M, Zi , . . . , z,), and checks that its 
first t bits are equal to e.\ (i - 1 , . . . , t). If the checks are valid, the user B recognizes that M is 
A's valid message. 

2.3 Known properties of the Fiat-Shamir scheme 

Feige, Fiat and Shamir [FSS] showed that FSIS is provably secure. Namely, 

Proposition 2.8 [FSS]: The serial version o/FSIS, where t = 0(]N\), is a zero-knowledge 
proof of knowledge. 

Although Feige, Fiat and Shamir [FSS] did not show that the parallel version of FSIS is zero 
knowledge, they did show that the parallel version of FSIS releases no "useful" knowledge that 
could help the verifier to impersonate the prover within the identification system. Namely, 

Proposition 2.9 [FSS]: If factoring is difficult, the parallel version o/FSIS releases no trans- 
ferable information. 

Note that Proposition 2.9 does not imply that the parallel version of FSIS releases no "useful" 
knowledge that could help the verifier to cheat outside the identification system. 

Goldreich and Krawczyk [GKr; observed that non-zero-knowledgeness is an intrinsic prop- 
erty of the parallel version of the FSIS protocol. 

Proposition 2.10 [GKr]: If factoring is difficult, the parallel version o/FSIS is not (black- 
box simulation) zero knowledge. 

Although the straightforward parallel version of FSIS is not zero-knowledge, Bellare, Micali, 
and Ostrovsky [BMO] proposed how to parallelize FSIS with preserving zero-knowledgeness. 
Their scheme is not three move and needs some additional interactions between the prover and 
the verifier. 

In this paper, we use a term "parallel" version of protocols in the sense of the (three move) 
straightforward parallelization as in Remark 2.7. 

With respect to the security of FSDS, Fiat and Shamir showed 

Proposition 2.11 [FiS]: When / is a truly random /unction, FSDS is existentiaiiv unforge- 
able under an adaptive chosen message attack unless factoring is easy. 

Remark 2.12: A variant of the Fiat-Shamir scheme has proposed ;GQ1] and the security as in 
Proposition 2.9 has been considered [OhOk'88], Brickell and McCurley [BM] proposed a modified 
Schnorr's identification scheme [Sen] based on a special discrete logarithm problem, and gave a formal 
proof on the security. Probably secure three move identification scheme based on the general problems 
is proposed by Okamoto [Oka]. 
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3 Why does straightforward parallelization fail to be 
zero-knowledge ? 

Feige, Fiat and Shamir's result in Proposition 2.9 guarantees a security of the parallel version 
of FSIS. On the other hands, Goldreich and Krawczyk's statement in Proposition 2.10 implies 
the parallel version of FSIS is not (blackbox simulation) zero knowledge. Many researchers 
[FSS, BC] remarked that the parallel version of FSIS could leak some "partial" information on 
the prover's secret. 

Our first question is : 

Question A: What information is released in the parallel version of FSIS ? 

To prove a protocol to be zero knowledge, a main technique is to reset a (cheating) verifier, so 
called reseitable simulation [GMR], 

Many researchers [BC, BMO] have observed that the resettable simulation may not be 
applied to the following cheating verifier in the parallel version of FSIS. 

After receiving the prover's the message Z; (t = 1, . . . , t), the (cheating) verifier 
sends back bits e; (i = 1, . . . , t) which are computed with dependence on Xi (i = 
1, . . . , t), for example, (e lt . . . , e ( ) = g(x\, . . . , z t ) for a random hash function g. 

In fact, Goldreich and Krawczyk's proof on the non-zero-knowledgeness of the parallel version 
of FSIS (generally, on the triviality of three move protocols) is based on a careful analysis of 
the cheating verifier with random hash function. 

In the cheating strategy above, the verifier learns {x lt . . . , x t , y lt . . . , y t ) satisfying the condi- 
tions that («!, . . . , e e ) = <7(zi, . . . ,x t ) and t/,- S J e '>; (mod N) (i = 1, . . . , <). The (polynomial- 
time bounded) verifier without the secret s seems not to be able to generate such information 
by himself. Thus, we regard the information above as knowledge leaked in the parallel version 
of FSIS. 

Our second question is as follows. 

Question B: How useful is this information for the verifier ? 
To clarify the role of this information above, we consider a verifier who acts as below. 

After receiving the prover's message z; (i = 1,. . . ,i), the verifier selects a message 
M and sends back bits e,- (i = 1, . . . , t) which are computed as g(M, x it . . . ,x t ) for 
a one-way hash function g. 

In the cheating method, the verifier learns (x lt . . . ,x tl yi, . . . ,y t ) satisfying the conditions 
that (ei, . . . , e t ) = g(M, x u . . . , x t ) and i/; = j e >r ; (mod N) (t = 1, . . . , t) for the message M 
selected by him. If g is a one-way hash function, we can regard (ej, . . . , e ( , y it . . . , y t ) as the 
prover's digital signature for the message M in FSDS with respect to the function g. 

Our observation above implies that in the parallel version of FSIS a cheating verifier, who 
makes an access to the true prover in the parallel version of FSIS, gets the prover's digital 
signature of FSDS for any message M. Note that in the serial version of FSIS, even if a 
cheating verifier acts as the same as the above, the verifier cannot get any digital signature of 
FSDS. 
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4 Abuses of the parallel version 

In this section we point out abuses of the parallel Fiat-Shamir scheme based on our remarks in 
the previous section. 

4.1 Non-transferable information helps to forge secure digital sig- 
natures 

We consider a practical system which consists of FS IS and FSDS. 

Suppose a prover uses only one secret key s for his public information 7 in the system. 
Namely, the prover shows his identity via the serial version of FSI5 using the secret s, and 
the prover signs messages via FSDS using the same secret j. This system is convenient for the 
prover because he keeps only one secret information. 

However, if the prover shows his identity via the parallel FSIS, not via the serial one, this 
system is not secure for the prover. As we noted in the previous section, in the parallel version 
of FSIS a cheating verifier can get the prover's digital signature of FSDS for any message M 
while the verifier interacts with the prover in FSIS. In this system, FSDS(or FSIS) is not secure. 

Note that "releasing no-transferable information" by Feige, Fiat, and Shamir [FSSj guaran- 
tees the security of the case only when the prover's secret information is used in the identification 
systems. 

Remark 4.1: We may prevent the verifier's cheating above by using a different security 
parameter t in the signature stage and in the identification stage. However, such temporary 
protection never implies the provable security of the system. 

4.2 Message authentication based on the public key 

The message authentication is used as a data integrity mechanism to detect whether data have 
been altered in an unauthorized manner. An implementation of message authentication based 
on the conventional secret key cipher (e.g. DES) is Message Authentication Codes (MACs) 
[ISO]. The public-key based message authentication is defined as: 

Validity: In the authentication stage, only the user .4 can prove 
the validity of a message to any user B by using .4's public key. 

The authentication stage based on the public key needs an interaction between the prover and 
the verifier, while MACs is non-inieractively verified by the only receiver who knows the same 
secret key as the sender has. Note that the digital signature [DH1 is verified by anybody without 
interaction using only the signer's public key. 

Desmedt [Des] and Guillou-Quisquater [GQ2] applied FSIS to the public-key based message 
authentication. Guillou and Quisquater modified the (extended) Fiat-Shamir identification 
scheme into a message authentication by using a one-way hash function. The one-way hash 
function is used to mix the message into the communication for the identification. 

Guillou-Quisquater's Message Authentication 
based on the (extended) Fiat-Shamir scheme 

1. Preprocessing stage between the trusted center and each user 

In this system, the center's secret key is p, q (distinct large primes) and the public key is N = pq 
and L. The center generates prover A's secret key sa satisfying 1/sa = (Ia)^^ (mod jV), 
where I a is the identity of user ,4 and is published to other users. Furthermore, a one-way hash 
function g is published to each user. 
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2. Authentication stage between the user A and the user B 

(a) The user A sends his message M with his identify I A to the user B. 
Repeat step (b) to (e) t times. 

(b) The user A picks r Gr 2" n , and computes z = (mod jV) and u = g(M,x). The user A 
sends r and u to the user 3. 

(c) The user B sends d £r to the user A. 

(d) The user A sends y such that y = j^r (mod JV) to the user B. 

(e) The user B checks that u = g(M,y L I<% (mod JV)). If the check is not valid, the user B 
quits the procedure. 

The user B recognizes that M is A's valid message only if ail t round checks are successful. 

The serial version of the protocol above (when t = 0(\N\) and L = 0(1) ) is zero- knowledge, 
and the security of parallel versions, which are not zero-knowledge, is studied by Ohta and 
Okamoto [OhOk'88]. 

However, no discrepancy between the serial and the parallel of the message authentication 
based on the (extended) Fiat-Shamir scheme has known. We clarify the discrepancy. 

Desmedt [Des] considered the one-time-validity of the message authentication and Okamoto 
and Ohta [OkOh'90] called the same notion no n- transitive signature: 

Validity: Only the user A can prove the validity of a message 
M to any user B by .4's public key. 

Non-transitivity: The user B cannot transfer the proof of A's 
origin of the message M to another user C. 
We should notice that the ordinary (transitive) digital signature [DHj does not satisfy the 
condition of non-transitivity, i.e, in the digital signature any user B can transfer the proof of 
A's origin of the message M to another user C and the user C can check the correctness of the 
proof of A's origin of the message M using only A's public key. 

Okamoto and Ohta implemented message authentication based on the modification of the 
prover's randomness in the (extended) Fiat-Shamir scheme. 

Desmedt [Des] mentioned that the serial version of his message authentication is non- 
transitive (one-time- valid), however nothing was mentioned in the case of the parallel version. 
Note that the serial version of Guillou-Quisquater's message authentication is non-transitive. 
Okamoto-Ohta [OkOh'90] claimed, without formal discussion, that both the serial and the 
parallel version of the message authentication are non-transitive. But, our claim is as follows. 

Claim: The parallel version of the Guillou-Quisquater, Okamoto-Ohta, 
and Desmedt's message authentication are not non-transitive. 

A cheating method for a verifier in the Guillou-Quisquater message authentication is as 
follows. (This cheating is applied to other message authentication like as the Desmedt and 
Okamoto-Ohta's one.) 

A (cheating) verifier manages to record the history of the communication 
with the prover. After receiving prover's message M,x\,. . . ,x t and u = 
g(M, x ly . . . ,i t ) and the verifier sends back i,-(t = \....,t) which is computed 
as (d\, . . . , d t ) — h(x ll ...,x t ) by a one-way hash function h. After receiving 
the prover's answer = l,...,t) for d { (i = 1,...,<), the verifier records 

H = {M, x lt . . . , x t , h, di, . . . , d t , y 1} . . . , y t ) as the history of the communication 
with prover A. Once the verifier publishes the history H, anyone can check the validity 
and the origin of message M by calculating u = g(M, V\ L 1^ (mod JV), . . . ,y t L 
(mod TV)), and (d u ...,d t ) = k(x u ...,x,). 
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Remark 4.2: The same kind of abuse as above cannot be applied to the scheme based on the serial 
version of the extended Fiat-Shamir scheme. 

5 Positive applications of the parallel version 

In this section, we consider positive applications of the parallel version. 

Okamoto and Ohta [OkOh'89] proposed a blind signature scheme, which was introduced 
by Chaum [Ch'82], based on a combination of the parallel version of FSIS and FSDS. This is 
the first positive application of the parallel version of Fiat-Shamir scheme although Okamoto 
and Ohta did not clarify the distinction between the parallel version and the serial one of the 
Fiat-Shamir scheme. The technique used in Okamoto-Ohta scheme is more sophisticated than 
one observed in subsection 4.1, however Okamoto and Ohta's technique is applied to a special 
class of problems which satisfy a condition, so called random self reducibility [TW], and seems 
not to be applied to the parallel version of more general zero-knowledge protocols (e.g. the 
references [GMW, BCC]). 

We consider positive applications of the parallel version of the Fiat-Shamir scheme, which 
can be applied to the parallel version of the more general protocols. 

5.1 The parallel version of the Fiat-Shamir scheme leaves a trace 

Our observations in the previous sections suggest that the parallel version of FSIS leaves some 
trace, unlike the case of the serial version of zero-knowledge FSIS. We positively apply the trace 
to message authentication with the proof of the origin and to a protection of divertibility of 
interactive protocols. 

5.2 Testifiable message authentication 

As we pointed out in the previous section, the message authentication based on the parallel FSIS 
does not satisfy the non-transitivity. We positively apply the transitive trace of authentication 
stage in the parallel version of FSIS. 

In the message authentication based on the serial FSIS, the sender (signer) can deny the 
fact that the signer has shown authentication, because there are no evidence of the prover's 
proving stage. Okamoto and Ohta [OkOh'90] remarked this property as a merit to show the 
distinction between non-transitive signatures and Chaum's undeniable signature [CA]. Occa- 
sionally, however, we needs an evidence to avoid prover's denying the fact of his authentication 
on the message. The trace in the parallel version is useful for the evidence. 

Suppose that user A sends a message M to user B. A testifiable message-authentication 
has the following properties. 

Validity: In the authentication stage, only the user A can prove 
the validity of a message M to any user B by A's public key. 
Testifiability: Any user C can check the fact that the user A has 
given the proof of A's origin on the message M by A's public-key 
without interaction with A. 

It must be noted that the digital signatures [DH] satisfy the condition of testifiability, 
however, the digital signatures do not have the authentication stage where A can prove to B 
that he is A. 

We propose a message- authentication which is a modification of the verifier's randomness 
in the parallel version of the message authentication using the Guillou and Quisquater's idea. 
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Proposed testifiable message authentication 

1. Preprocessing stage between the trusted center and each user 

Same as the preprocessing stage in FSIS. Furthermore, two one-way hash function g and h are 
published to all users. 

2. Authentication stage between the user A and the user B 

(a) The user A sends his identity I a and a message Ma to user B. 

(b) The user A picks r; 6r Z' n (i = !,...,{), and computes z; = rf (mod TV) (t = 1, . . . , t), 
and u = g( Ma, x\ , . . . , x t ). The user A sends zj , . . . , z ( and u to the user B. 

(c) The user B selects a message Rg at random, calculates h(Rs, Zi, . . . , xt). The user B sets 
its first t bits to e; (i = 1, . . . , t) and sends ei (i = 1, . . . , t) and Rg to the user A . 

(d) The user A computes h(Rg, ej, . . . , x t ) and checks if the first t bits of k(Rg, Zi, . . . , x ( ) 
are e; (t = 1, . . .,<). If the check is not valid, the user A quits the procedure. Otherwise, 
the user A sends to B ji< = s e 'r; (mod JV) (i = 1,. . .,t). 

(e) The user B checks that u = g(M A , *i, • • • , *t) and z; = ji, 2 /^' (mod JV) (i = l,...,t). If 
the check is not valid, the user B quits the procedure. 

After all procedures are passed, the user B accepts that Ma is A'% valid message. 

3. Publication and verification of the evidence of the authentication 
If the prover denies his authentication on the message Ma, the verifier shows 

H = (Ia, Ma, u, xi, . . . , z ( , Rg, y\, ■ ■ ■ , Vi) as an evidence of the A's authentication on Ma- 
Anyone can accepts the A's authentication on Ma only if H satisfies the conditions that u = 
g{MA,x\, -•.,*(), (ei,. ■ - ,e ( ) = h(R B ,x 1: . . . , x t ), and Zi = yfl^ (mod N) (t = 1,. ..,t). 

The authors [SI] applied the proposed testifiable message authentication to a digital credit 
card system, where both the identification and the digital signature are required. 

5.3 Protection against divertibility 

Desmedt et al. [DGB] pointed out an abuse of FSIS, so called Mafia fraud problem, where an 
intermediate verifier B can masquerade as the genuine prover A to another (victimized) verifier 
C while A proves his identity to B, and B cancels any evidence which shows that B is assisted 
by A. This concept was formulated as divertibility of (zero-knowledge) protocols by Okamoto 
and Ohta [OkOh'89]. They proposed some types of measure to protect against such an abuse. 

We propose a simple technique to protect against the abuse of divertibility of the parallel 
version of the Fiat-Shamir scheme, which cannot be applied to the serial one. Figure 1 describes 
the technical details on the divertibility of the parallel version of the Fiat-Shamir scheme. The 
divertibility is arisen from the property that there are no evidence which distinguishes two 
communication data, 

((*i>- • •,*<). ( e "i> ■ ■ ■ , e e ),(j/i, . . . ,y t )) and ((x' u . . . ,xt),(e lt . . . ,e t ),{y u ■ ■ ■ ,tit))- 
Proposed countermeasure 

The technique used in our proposed testifiable message authentication is useful to create an 
evidence which distinguishes the data. Consider the following modified protocol: 

After receiving the prover's first message (x x , . . . ,x t ), the verifier selects a random 
message Rv, computes h(Rv, ii, . . . ,x t ) and sets its first t bits to e^,. . . ,e t . Then 
the verifier sends the random message Rv to the prover instead of sending e 1} . . . , e t . 
The prover sends back the verifier y± - u;(y;) ei (t = 1, . . . , t), where (ei, . . . , e t ) = 
h(Rv, Ei, . . . , x t ) as the ordinary parallel Fiat-Shamir scheme. The verifier accepts 
the prover only if the checks (e lr ..,e,) = h(Rv, xi, ■ ■ ■ , x t ), and x; = y?(I A ) e '(i ~ 
!,...,£) are passed. 
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P rover 

6;£r{0,1}, u,€rZ; 

(afl. ••-,£() 

e> Sr {0,1} 

(gi.---.ei) 

ii = e, © i; 

(e"i,. ..,e" ( ) 

IK = ■» ei r, 

(3/1, ---.yi) 

(j/i,- ,Vt) 



Figure 1: Divertible ZK on the parallel Fiat-Shamir scheme 

In this modified protocol, the way of the verifier's generating the challenge bits (ej, . . . , e,) 
is restricted and the verifier's computation in the original divertible protocol (Figure 1) cannot 
be apply to the modified protocol. 

The proof on the correctness of our countermeasure is obtained from the same argument as 
the proof of the security of FSDS (Proposition 2.11). The protection is rather practical than 
theoretical because it is assumed in a way similar to Proposition 2.11 that the function h is a 
(blackbox) truly random function. 

Remark 5.1: Ohta, Okamoto, and Fujioka [OOF] proposed how to protect the divertibility 
by using a bit commitment function. Their countermeasure is useful for both the serial version 
and the parallel version. However, our proposed countermeasure is applied to only the parallel 
version. 



Verifier Victimized 

Verifier 



6 Concluding remarks 

In this paper, we clarify the discrepancy between the serial version and the parallel version of 
zero-knowledge protocols, especially point out the relation between the "information" leaked 
in the parallel version of the Fiat-Shamir identification scheme and the Fiat-Shamir digital 
signature scheme. Furthermore, we consider the meiit and demerit of the parallel version with 
comparing to the serial one. Note that our observation is applied to general zero-knowledge 
protocols, which is a sequential iteration of a three move protocol. 

The security of the straightforward parallel execution of the Fiat-Shamir type identification 
scheme is characterized by some researchers [FSS, OhOk'88, FeS, BM, Oka]. However, their 
results heavily depend on the structure of the underlying problems (e.g. factorization, or dis- 
crete logarithm), and the technique of the proofs fails in the case of the straightforward parallel 
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execution of the zero-knowledge protocol for general problems like as Graph-3-Colourability 
[GMW, BCC]. The security of these protocols are still unclear. 

The security of three move protocols [FSS, OhOk'88, FeS, BM, Oka], which are based on 
some algebraic problems, guarantees only the case within the identification system, and nothing 
is mentioned outside the identification system. 

The security of an identification and a signature is one of the central topics in modern 
cryptography, and many results are known. However, the aspect of these researches on the 
security is irrelevant to each other. We must study the security of the combination of the 
different objects. 
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Abstract : The cryptographic strength of an SP network depends 
crucially on the strength of its substitution boxes (S-boxes). In this paper 
we use the concept of information leakage to evaluate the strength of S- 
boxes and SP networks. We define an equivalence class on nxn S-boxes 
that is invariant in information leakage. Simulation results for a 16x16 SP 
network suggest that after a sufficient number of rounds the distribution 
of the output XOR in the SP network looks random. We further present 
simulation results to show that the information leakage for an SP network 
diminishes more rapidly with the number of rounds when the S-boxes are 
cryptographically strong. 

1. Introduction 

The concept of "confusion" and "diffusion", which led to the design of 
Substitution-Permutation Network (SPN) cryptosystems (e.g., DES [1]), was first in- 
troduced by Shannon [2] and was elaborated on in concrete and practical ways by 
Feistel [3] and Feistel, Notz and Smith [4], The strength of an SP network depends 
highly on the strength of the substitution boxes (S-boxes). Work on the design and 
analysis of S-boxes has been presented in [5][6][7][8][9][10]. 

Kam and Davida [11] presented an approach to the design of S-boxes and SP 
networks which is guaranteed to satisfy completeness, a property which requires that 
each output bit depends on every input bit. Since then, very little work has been done 
on the design and analysis of a general SP network [12][13], even though many fully 
designed cryptosystems have been published [14] [15]. 

In this work we review some previously proposed evaluation criteria based on 
information leakage and extend them for an nxn bijective S-box. We then define 
an equivalence class on S-boxes which will enable one to create cryptographically 
strong S-boxes more efficiently. We also present simulation results to show that 
cryptographically strong S-boxes improve the performance of an SP network. 

E.F. Bnckell (Ed.): Advances in Cryptology - CRYPTO '92, LNCS 740, pp. 260-279, 1993. 
© Springer- Verlag Berlin Heidelberg 1993 
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2. Evaluation Criteria for a Cryptographically Strong S-box 

Forrd [9] presented a set of cryptographic properties of S -boxes based on 
information theory. Dawson & Tavares [10] extended Forr6's ideas to define an 
expanded set of design criteria for cryptographically strong S-boxes. The authors 
viewed an S-box in two different ways : static view, which models an S-box when 
the inputs are steady and dynamic view, which models an S-box when the inputs 
change. Forre's criteria, however, apply to the static model only. In the Dawson & 
Tavares' design framework both an S-box and its inverse were designed to have low 
information leakage. The expanded set of design criteria was developed at a "single" 
bit level, where information leakage between a single output bit and the input bits or 
between a single output bit and the rest of the output bits were computed. We extend 
the design criteria to a "multiple" bit level, where information leakage between one 
or more output bits and the input bits or between one or more output bits and the 
rest of the output bits are considered. We further show that some of the new design 
criteria defined in [10] are redundant. We also introduce a useful information theoretic 
property, which we call "XOR Information Leakage" (XL[I;0]) for an S-box. The 
attractive feature of this property is that it uses a "single quantity" to compare the 
XOR distributions of S-boxes and SP networks. The nxn S-box S considered in 
this section is a bijective S-box with an n-bit input X= {x t , x 2 , x„} and an n-bit 
output Y= {j/j , ys, y n ] ; where x, and ; 1 < i < n are binary variables. 

2.1. Static Input-Output Information Leakage ( SL[I;0] ) 



The input-output mapping of an S-box is assumed to be known, i.e., the output 
is assumed to be known when the input is completely known (or vice versa). In an 
ideal S-box, however, partial information about the input bits should not reduce the 
uncertainty in the unknown output bits (or vice versa). 

The static view of the S-box is shown in Figure 1. If Xk= {x ]1 ,x JS , x Jk } 
; where 1 < k < n - 1 ; 1 < ji, j 2 , - ...jfc < n, is a subset of the input bits and 
Y t = {yij ■ yi s ,.-, yi t } ; where 1 < t < n - 1 ; 1 < l u l 2 , -Jt < n, is a subset 



X 



S : X — Y 




Figure 1. Static view of an nxn S-box 
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of the output bits, then the Static Input-Output Information Leakage is the mutual 
information between Y t and X k which is given by : 

SL[I;0] - /(Y,,;X k ) = H(Y t ) - H(Y t \ X k ). 

The averaged* SL[I;0] matrices of a 4x4 DES S-box and one of the S-boxes found 
by Dawson & Tavares are given in Table 1. The detailed SL[I;0] matrices for these 
two S-boxes are given in Tables 2 and 3. In these tables, the information leakage is 
given in bits/input. The S-boxes considered in the example are as follows : 

DES S-box : ( 0,15,7,4,14,2,13,1,10,6,12,11,9,5,3,8 ) 

Dawson & Tavares S-box : { 7,9,1,10,12,14,0,5,4,13,11,6,2,3,15,8 }. 



k 


DES S-box 


Dawson & Tavares S-box 


t 


t 


1 


2 


3 


I 


2 


3 


1 


0.0228 


0.1060 


0.3750 


0.0114 


0.0786 


0.3750 


2 


0.0865 


0.4271 


1.0938 


0.0786 


0.4284 


1.1250 


3 


0.3594 


1.0885 


2.0000 t 


0.3750 


1.1250 


2.0391 



Table 1. Averaged SL[I;OJ matrices for the DES and the Dawson & Tavares S-box 



2.2. Dynamic Input-Output Information Leakage ( DL[I;0] ) 

In an ideal S-box information about any changes in the input bits should not 
reduce the uncertainty in the changes in the output bits. 

The dynamic view of an S-box (delta S-box) is shown in Figure 2 in 
which the steady state value of the input X c is assumed to be unknown. If 
AX k = {Ax }J ,Azj g ,...,Ax } } ; where 1 < k < n ; 1 < h,h,--,jk < n, 

is a set of changes in the input bits and AY t = {J.y., . J y. J//;. } ; where 

1 < t < n ; 1 < li, l 2 . .. .. l t < n, is a set of changes in the output bits then 
the Dynamic Input-Output Information Leakage is the mutual information between 
AY t and AX K which is given by : 

DL[I;0] = /I.AY-: JX k; = H{AY t ) - II(AY t | ziX k ). 



t 



averaged means that for any k and t, the leakage is averaged over all the choices of Yt and X^- 
In all the DES S-boxes, when t=k=3 the static input-output information leakage is 2 bits/input which 
is the minimum possible value for I(Yj,X 3 ) in a 4x4 S-box. 
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A*. 



Ax, Ax 



S : X »- Y 



11 

AS: AX — *■ AY 



Figure 2. An n x n delta S-box 



The averaged DL[I;0] matrices of the 4x4 DES S-box and the Dawson & Tavares 
S-box of the above example are given in Table 4. The detailed DL[I;0] matrix for 
the DES S-box is given in Table 5. In these tables, the information leakage is given 
in bits/input change. 





DES S-box 


Dawson & Tavares S-box 


k 


t 


t 




1 


2 


3 


4 


1 


2 


3 


4 


1 


0.0014 


0.0102 


0.0462 


0.1725 


0.0007 


0.0104 


0.0437 


0.1333 


2 


0.0066 


0.0371 


0.1586 


0.4958 


0.0104 


0.0476 


0.1484 


0.3558 


3 


0.0317 


0.1286 


0.4362 


1.0202 


0.0437 


0.1484 


0.3756 


0.7741 


4 


0.1333 


0.4220 


0.9866 


1.7541 


0.1333 


0.3558 


0.7741 


1.4024 



Table 4. Averaged DL[I;0] matrices for the DES and the Dawson & Tavares S-box 



In [10] Output-Input Information Leakage, which is the same as the Input-Output 
Information Leakage, except that the input and the output are interchanged, has been 
defined as a separate property in both the static and the dynamic cases. But due 
to the symmetry in mutual information, i.e., I{A;B) — I(B;A), the output-input 
information leakage matrix is simply the transposition of the input-output information 
leakage matrix in both the static and the dynamic cases for any bijective S-box. 
Therefore, the output-input information leakage is a redundant criterion for both the 
static and the dynamic conditions for any bijective S-box. 
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2.3. Dynamic Ouput-Output Information Leakage ( DL[0;0] ) 

For any given change AX at the input, if Z\Y k = {Ay }1 , Ayj s , Ayj k } ; 
where 1 < k < n - 1 ; 1 < j\,j 2 , - Jk < n, is a set of changes in the output bits 
and AY t = {Ay h , Ay, 2 , Ay, t } ; where 1 < t <n-l; 1 < l u h, h < n, 
is another set of changes in the output bits such that AY^ftAYt = {0}, then the 
Dynamic Output-Output Information Leakage (with respect to AX) is the mutual 
information between AY^ and AY t which is given by : 

DL[0; O] = I(AY t ; AY k ) = H(AY t ) - H{AY t | AY*). 

In any bijective S-box, under the static condition, for any given subset of output bits 
Yk , each of the 2 C combinations of the bits from another subset of output bits Y t 
(such that Y k n Y t = {0}) occurs with equal probability over all the possible static 
states. Therefore, the mutual information between Y k and Y t must be zero. This 
may not be true under the dynamic condition where the correlation in the output bits 
could be exploited to gain information about the unknown changes in the output bits. 
Thus, this information theoretic property is cryptographically meaningful only under 
the dynamic condition for a bijective S-box. 

The averaged DL[0;0] matrices of the 4x4 DES S-box and the Dawson & 
Tavares S-box of the above examples are given in Table 6. The detailed DL[0;0] 
matrix for the DES S-box is given in Table 7. In these tables, the information leakage 
is given in bits/output change. 





DES S-box 


Dawson & Tavares S-box 


k 


t 


t 




1 


2 


3 


1 


2 


3 


1 


0.1659 


0.4600 


0.6766 


0.0952 


0.3040 


0.5280 


2 


0.4600 


0.9707 


J 


0.3040 


0.7368 




3 


0.6766 






0.5280 







Table 6. The averaged DL[0;0] matrices for the DES and the Dawson & Tavares S-box 



In fact, there is an averaged DL[0;0] matrix for each value of AX (i.e., for 
each pattern of input change). In this paper, however, the average values of DL[0;0] 
for each value of AX (from a single bit change to four bit change) are calculated 
and averaged again to form a single matrix. Note that due to the symmetry in mutual 
information the element ay is equal to the element aji in the DL[0;0] matrix. 



" - " means AY* n AY t ^ {0} 
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2.4. XOR Input-Output Information Leakage ( XL[I;0] ) 

The XOR distribution gives the probability distribution of the input XOR and 
the output XOR for an S-box. Biham & Shamir [16] first used the XOR distribution 
for their differential attack on DES-like cryptosy stems. The XOR distribution of the 
DES S-box of the above example is given in Table 8. 

If AX is the input XOR and AY is the output XOR, then the XOR Input-Output 
Information Leakage is the mutual information between AX and AY and is given 
by : 

XL[I; O] = I(AY\ AX) = H(AY) - H(AY | AX). 

In an nxn S-box, for any given input XOR, if each output XOR occurs with 
equal probability, the XOR distribution must have all identical entries. Such an XOR 
distribution is called a "uniform" or "flat" distribution. The "differential probability" 
corresponding to an entry in the XOR distribution is obtained by dividing that entry 
by 2 n , where n is the block size of the S-box (or SP-network). Thus, in a uniform 
XOR distribution the highest differential probability is 1/2". For a uniform XOR 
distribution XL[I;OJ is zero. However, due to the nature of the XOR operation, each 
output XOR either occurs an even number of times or does not occur at all. Further, 
in an S-box when AX — 0, AY — 0. Thus, a zero input XOR and the corresponding 
output XORs are trivial. 

In the XOR distribution for an nxn S-box the sum of the entries in a row is 2 n , 
and if the S-box is bijective the sum of the entries in a column is also 2 n . Therefore, 
in the "best possible distribution" for an nxn S-box, an entry corresponding to a 
non-zero input XOR can be either 0 or 2. Thus, for a non-zero input XOR half of 
the possible output XORs do not occur. For a 4x4 S-box with the best possible 
distribution, XL[I;0] will be 1.1875 bits/input XOR which is the minimum value of 
XL[I;0] for any 4x4 S-box. However, Adams [17] showed that an nxn S-box with 
the best possible XOR distribution cannot be bijective when n is even. 

It should be noted that in an nxn S-box, XL[I;0] is the same as DL[I;0] when 
t = k = n. Thus, XL[I:0] is not an independent evaluation criterion. However, 
XL[I;0] is useful in measuring how far an XOR distribution deviates from a uniform 
XOR distribution, using a single "quantity". Further, due to the symmetry in mutual 
information, the XOR output-input information leakage is the same as the XOR input- 
output information leakage, i.e., XL[0;I]=XL[I;0]. 

XL[I;0] for the DES S-box and the Dawson & Tavares S-box of the above 
examples are 1.7541 bits/Input XOR and 1.4024 bits/ input XOR respectively (note 
that these values correspond to DL[I;0] in Table 4 when t = k = 4). The highest 
XL[I;0] among the 4x4 DES S-boxes is 1.8438 bitsAmput XOR. We note that using 
S-boxes with uniform XOR distribution does not necessarily increase the immunity of 
an SPN cryptosystem against a differential attack [18]. In order to develop resistance 
to a differential attack, other design criteria must also be taken into consideration. 
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3. An Equivalence Class on S-boxes 

Consider the nxn S-box S' created by XORing X r and Y 3 with the input and 
the output respectively of the nxn S-box S as shown in Figure 3. X r and Y s are 
arbitrary fixed n-bit binary vectors. 



® 



S:X.— Yj 



Y. ! 

'V 

® 



Figure 3. Equivalent S-boxes S and S' with invariant information leakage 



Since 

Prob(X 3 ) = Prob(X\ ® X r ) = Prob(X' i ) 

and 

Prob{Y } ) = Prob(Y- * Y s ) = Prob(Y\) 

the SL[I;0] of S is the same as that of S'. Also, since the properties related to the 
changes in the input and the output bits are invariant to the XOR operations at the 
input and the output, all the dynamic information leakages (DL[I;0], DL[0;0] and 
XL[I;OJ) will be the same for both S and S'. Therefore, in this fashion, we can 
generate 2 2n equivalent nxn S-boxes with invariant information leakage and with 
different input-output mapping. 

A new S-box S" can be generated by permuting the input and/or output bits of 
the original S-box S. S" will have similar cryptographic properties to S. However, 
due to the bit permutation, the entries of the leakage matrices and the XOR distribution 
of S" may be located differendy. Starting with S", a new class of S-boxes can be 
generated using the above procedure. Hence, if a single S-box with low information 
leakage is found (possibly through a computer search), a large number of S-boxes 
with similar information leakage can be created easily. 



4. Differential Attack on SP Networks 

The differential attack developed by Biham & Shamir is a statistical chosen 
plaintext attack on DES-like block ciphers. If a pair of distinct plaintexts with known 
XOR difference AX produces a pair of (r-1)* round ciphertexts Y r _i and YJ._j such 
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that Y r _i © = ziY r _ i ; then an r round cipher is vulnerable to the differential 
attack if and only if the following conditions hold [19] : 

I. There exists a pair of (r-l)* round outputs Y r _i and Y£_ x such that 
Prob(AY r _i | AX) is greater than l/2 m , where m is the cipher block size. 

II. Given some pairs of Y r _ 2 and Y' r _ L it is possible to determine some key bits 
in the r* round. 

The effectiveness of this line of attack depends on how confidently the (r-l)* 
round XOR values (corresponding to the chosen input XOR) can be predicted in the 
SP network. In the cryptosystem, if XL[I;0] is zero after the (r-l)* round then the 
maximum differential probability reaches the ideal value which is l/2 m (m is the 
cipher block size). Hence, the first condition will be satisfied. However, due to 
the nature of the XOR operation, an SP network with even the best possible XOR 
distribution will have a differential probability of l/2 m ~ l (i.e., 2/2 m ). 

In an SP network, keying can be introduced in one of the two ways shown in 
Figure 4. DES uses a combination of these two methods. In Figure 4 (a), the (r-1) * 

c r-l 



s 



I 

C 
r 

« (b) 

Figure 4. Two possible methods of keying 

round ciphertext C r _i is XORed with the r * round key K f to form the actual input to the 
S-box. A given (AC r -i,AC r ) pair, where AC r _i / 0, restricts the possible values for 
the actual input to the S-box. Using the actual input and the value of C r -i (if known) 
the uncertainty in K r can be reduced. However, in an SPN cryptosystem using this 
keying arrangement, if the value of C r .i is not available (note that this condition is 
not satisfied in DES-like systems), a differential cryptanalyst cannot learn about the 
key using the knowledge of the input XOR and the output XOR of the S-box. 

In Figure 4 (b), one bit in K r is used to select one of the two S-boxes : Si and 
S2. In this arrangement, K r is not mixed with C r .i to form the actual input to the 
S-box in the r * round. Since in this illustration only two S-boxes are used, a single 
key bit is sufficient to select an S-box. This arrangement is vulnerable to a differential 
attack if the two S-boxes do not have identical XOR distributions [13]. It has been 
pointed out by Heys [20] that a differential attack is possible, even if the S-boxes 
have identical XOR distributions (i.e., if Si and S2 are chosen from an equivalence 
class). This can be explained with the help of Figure 5. 
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K, = 0 



Figure 5. Differential attack on the arrangement shown in Figure 4 (b) 



Assume that in Figure 5 the equivalent S-boxes Si and S2 are derived by XORing 
the vectors X! and X2 respectively at the input of the S-box S. The knowledge of 
a (AC r .i,AC r ) pair, where AC r _! ^ 0, would suggest the actual values of the input 
of S. Using these suggested values and the values of C t .i (assumed to be known) we 
can obtain the possible values of the vectors Xi and X 2 , and compare them with the 
known values of Xi and X 2 to get the keying information. Since only two S-boxes 
were used in this example, the described attack does not seem efficient. However, 
if a large number of S-boxes are used in this fashion, the differential attack would 
become more efficient. 

Therefore, an SP network using one or a combination of the above keying tech- 
niques should be designed to minimize the maximum entry in the XOR distribution 
(i.e., maximum differential probability), in order to increase the immunity against 
differential attack. 



5. Analysis of a 16-bit SP Network 

In an r round SPN cryptosystem the substitution-permutation function is iterated 
r times so that the final product (ciphertext) is cryptographically stronger than the 
intermediate products. The number of rounds required depends strongly on the 
strength of the individual layers. If the individual layers are strong, the number of 
rounds required can be smaller which means that higher data encryption/decryption 
rates can be achieved. In order to study the influence of the S-boxes on the 
cryptographic properties of an SP network, a 16 x 16 SP network (which is tractable) 
shown in Figure 6 was evaluated with respect to various criteria explained above. 
The DES, Dawson & Tavares and some randomly selected S-boxes were used for this 
analysis. We found that some of the DES S-boxes are relatively stronger than the 
others with respect to information leakage. Therefore, under each evaluation criterion, 
the DES S-boxes with relatively low information leakage (DES-L) and relatively high 
information leakage (DES-H) were analyzed separately. 
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Figure 6. A 16 bit SP network 



We first studied how the maximum differential probability of the SP network 
varies with the number of rounds (for the purpose of this test DES S-boxes were 
ranked according to their XL[I;0]). We know that even in the best case a non-zero 
minimum entry in the XOR distribution of the SP network is 2. Hence, for any non- 
zero input XOR, at least 50% of the output XORs do not occur. Since the S-boxes 
used are bijective, the 16-bit SP network is also bijective. As in the case of an 
S-box, a bijective SP network with XOR distribution containing only O's and 2's is 
not realizable when the block size is even, which is true for the 16-bit SP network. 
Therefore, we can expect some entries in the XOR distribution which are greater than 
2. Figure 7 shows the variation of the maximum entry in the XOR distribution (for 
100 randomly selected non-zero input XORs) with the number of rounds. For all the 
S-boxes used, the highest entry in the XOR distribution converged to 14 (i.e., the 
maximum differential probability is 14/2 16 ) after 5 rounds. Further, after 3 rounds 
there was not much difference in the maximum differential probability regardless 
of the selection of S-boxes. However, the S-boxes with low XL[I;0] led to faster 
convergence. In addition, we noted that for all the S-boxes the percentage of O's (in 
a row) was 60.7% of the number of possible output XORs, once the convergence was 
achieved. We and Heys [20] observed that the distribution of entries in a given row 
in the XOR distribution, after a sufficient number of rounds, behaves like a random 
placement of n/2 balls in n bins, where each ball has a value of 2. The maximum 
entry in a row corresponding to the random placements was observed to be less than 
or equal to 14. 

A well designed SP network can be regarded as a large strong S-box. Hence 
an ideal SP network should satisfy all the cryptographic properties of an ideal S-box. 
We then examined the 16-bit SP network on a round-by-round basis with respect to 
the four types of information leakages. For selected input and output bits the system 
was tested exhaustively, where feasible, or using a large number of randomly chosen 
inputs. The simulation results are shown in Figures 8 through 11. 
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Maximum Entry in the XOR distribution 

(for 100 randomly selected non— zero input XOfteY 
600 I 1 1 1 1 1 




1 2 3 + 5 6 7 

Number of Rounds 

Figure 7. Variation of Maximum Entry in the XOR 
distribution with number of rounds for the 16-bit SP network 



Static [l;0] Information Leakage 

Input Bits Selected :j 0.1,2,3,4,5 | Output Bits Selected :} 0,1,2,3 j 




0 1 2 3 4 5 



Number of Rounds 

Figure 8. Variation of SL[I:0] with number of rounds for the 16-bit SP network 
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Dynamic [l;0] Information Leakage 

Input Bite Sekctcd :\ 0,1,2,3,4,5 j Output Bits Selected :J 0,1,2,3 J 




Number of Rounds 

Figure 9. Variation of DL[I:0] with number of rounds for the 16-bit SP network 
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7. Conclusions 

We reviewed evaluation criteria for nxn bijective S-boxes based on information 
leakage and introduced the concept uf XOR Information Leakage (XL[I;0]), which is 
useful in comparing the XOR distributions of S-boxes. We then defined an equivalence 
class on nxn S-boxes which have invariant information leakage. The equivalence 
classes will reduce the search space for the design of cryptographically strong S- 
boxes with low information leakage. We also found that not all the DES S-boxes axe 
equally strong with respect to information leakage. 

We studied the impact of the choice of S-boxes on the cryptographic properties 
of a 16x16 SP network using various S-boxes. Sample S-boxes were chosen from 
the DES, Dawson & Tavares, and randomly constructed ones. The variation of the 
maximum entry in the XOR distribution with the number of rounds ia shown in Figure 
7. This experimental XOR distribution (corresponding to 100 randomly selected non- 
zero input XORs) closely approximates a random distribution of the output XORs 
after 5 rounds. After 3 rounds there is not much difference in the maximum entry in 
the XOR distribution regardless of the selection of S-boxes. However, the S-boxes 
with low XL[I;0] lead to faster convergence to the random XOR distribution. 

We finally studied the influence of the S-boxes on the information leakage of 
the SP network. The simulation results are shown in Figures 8 through 11. Here 
four types of information leakages are plotted against the number of rounds. After 3 
rounds there is not much difference in the information leakage of any kind, regardless 
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of the selection of the S -boxes. However, the choice of the S -boxes influences how 
fast the information leakage achieves the minimum value. Using the S-boxes which 
produce the fastest convergence in the SP network will lead to a more efficient and 
faster implementation of a substitution-permutation network cryptosystem. XL[I;0] 
for the SP network is of special interest with respect to a differential attack because it 
is a good measure of how confidently an output XOR can be predicted from a known 
input XOR in the SP network. For all the S-boxes used, the minimum value of 
XL[I;0] achieved is 1.45 bits / input XOR after 5 rounds. The value of XL[I;0] for a 
random distribution of 16-bit XORs is also 1.45 bits / input XOR. These observations 
suggest that, after a sufficient number of rounds, the XOR distribution of the 16-bit 
SP network converges to a distribution obtained by placing the output XOR pairs at 
random in the XOR distribution. 
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Partially-bent functions 
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Abstract 

We study a conjecture stated in [6] about the numbers of non-zeros of, res- 
pectively, the auto-correlation function and the Walsh transform of the function 
where f(x) is any boolean function on {0, l} n . The result that we obtain 
leads us to introduce the class of partially-bent functions. We study within these 
functions the propagation criterion. We characterize those partially-bent functions 
which are balanced and prove a relation between their number (which is unknown) 
and the number of non-balanced partially-bent functions on {0.1}" -1 . Eventually, 
we study their correlation immunity . 



1 Introduction 

The study of the properties of the substitution transformations of DES has resulted 
in nonlineanty criteria for boolean functions. Perfect nonlinear boolean functions, also 
called bent functions, are defined to be at maximum Hamming distance from affine func- 
tions. Those functions, of great importance in cryptography, seem to be rare, and very- 
few are known. They are neither balanced nor correlation-immune. So, it seems useful 
to define a larger class of boolean functions, containing balanced functions, and preserv- 
ing a high level of nonlineanty. That is what this paper obtains through the proof of a 
conjecture stated in [6]. The class of functions that we obtain is also a superclass of the 
class of quadratic functions. It shares with this class all its nice properties relative to the 
propagation criterion, the balancedness and the correlation immunity. 

n is a positive integer, G = {0, 1}". 
The dot product on G is defined by : 

Vz = (*.,. ..,X n ).S = («! s r> ) 6 G x-s = x lSl + ...+ x n s n € {0, 1} 

where the operations on {0, 1} are the usual operations on GF{2). 
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Let / be a real-valued function on G. The Walsh (or Hadamard) transform of f{x) 
is the function on G : 

hs) = ^/(x)(-ir'. 

Let / be a boolean function on G. We will denote by F the Walsh transform of the 
real-valued function F(x) = ( — l)-^ 1 - 1 : 

F{s) = J2(-l) nx)+x ° ■ 

It satisfies the Parseval's relation (cf.[5j, p. 416, corollary 3 or the lemma below) : 

£(F(s)) 2 = 2 2 ". 

/ is kth-order correlation-immune if (cf. [1] , !9]) : 

-F(s) = 0 1 < w(s) < k (where w(s) denotes the Hamming weight of s). 
The auto-correlation function of F is defined by : 

f(s) = ^(_i)/!*H/(«+«). 

/ satisfies the propagation criterion PC(k) of degree k (1 < k < n) if : 

r(s) = 0 1 < w{s) < k. 

There exists functions satisfying PC(n) if and only if n is even (cf.[4j). In that case, 
any boolean function / satisfies PC(n) if and only if, for any element s of G, the number 
F(s) is equal to : ±2"/ 2 (cf . [4] or the lemma below). Such functions are called bent. 
According to Parseval's relation, the bent functions are those functions which are at 
maximum Hamming distance from affine functions. 

The definition of bent functions is invariant under any linear isomorphism, and we 
may define the bent functions on any GF(2)-space E of even dimension as the functions 
satisfying : 

£(_!)/(*)+/(*+») = 0,Vs £ E,s ^ 0 or equivalent^ : 

£(_l)/<*0+*-« = ±y/\E\ VseE. 
r6£ 
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In [6], the authors conjecture that the numbers of zeros A> and of the functions 
f and F associated with any boolean function satisfy : 

{2 n -N f )(2 n -N/.)>2" 

and that equality holds only for functions of order 2 (that are functions whose algebraic 
normal forms have degrees at most 2 : we will call them quadratic) or satisfying PC(n) 
or PC(n — 1). At Las Vegas Conference on Finite Fields, they changed the second part 
of their conjecture in : "equality holds only for functions of order 2 or satisfying PC{n) 
(n even) or such that Ay = 2" — 2 (n odd)" . 

In section 2, we prove that the first part of that conjecture : (2" - Nf)(2 n - A T ^) > 2" 
is true. We characterize those functions for which equality holds. We call these func- 
tions partially-bent for they are related to bent functions (cf. the theorem below). Any- 
quadratic function is partially-bent. 

In section 3, we study those partially-bent functions which satisfy PC{k), those which 
are balanced, kth-order correlation-immune ( we deduce that both versions of the sec- 
ond part of the conjecture are false). We prove that the number of partially-bent bal- 
anced functions on G is equal to the number of partially-bent non-balanced functions on 
{0, l} n_1 . times (2 n — 1). All the results of that section hold for quadratic functions, and 
we deduce that there are more balanced quadratic functions than non-balanced quadratic 
functions on G if and only if n is odd. 

2 Partially-bent functions 

Let / be any boolean function on G, let us recall that the functions f and F defined in 
section 1 are related to each other the following way : 

Lemma 2.1 The Walsh transform of ihe function r is equal to the function F 2 : 
Proof: According to the definition of the autocorrelation function, we have : 

Vi e G, = E (^(-i) /w+/(i:+5)+! ') = £ (j2(-i) J{I)+nx+ ' )+Vs 

J£G jgG VrgG / r€G VjgG / 
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Since G is invariant under any translation, we may replace s by x + s in the second sum. 
We obtain : 



Vr<=G / 



We now prove the first part of the conjecture stated in [6] and characterize those 
functions for which equality holds : 

Theorem 2.1 Any boolean function f on G satisfies (2 n - Nf)(2 n - N F ) > 2 n . 
Equality holds if and only if : 

(i) there exists an element t m G such thai for any s in G, r(s) is equal to 0 or to 
(-l) Vs 2 n that is if and only if : 

(ii) there exists a linear form x — t ■ x on G, two subspaces E and E' in G (E' of 
even dimension), such that : 

- G is the direct sum of E and E' 

- the restriction of f to E' is bent 

- for all x in E, and all y in E' , f(x + y) is equal to : f(y) + t ■ x. 

Proof: - Since the values of the function f all are at most equal to 2", we have : 
2" - .V. > 2~ n ]T f(s) = 2- n (F(0)) 2 . 

The number Nf clearly does not change when we replace the function f(x) by any of the 
functions f{x) + x -t (t € G). Replacing /(x) by f{x) + x ■ t, we change F(0) in F(t). 
Thus : 

2 n - .\' f > 2- n {F{t)) 2 VteG (1) 

We also have : 

2" _ v- > ^ = - (2) 

' F ~ sup(#(i)) 2 sup(F(i)) 2 

Multiplying these two inequalities, we obtain : 

(2" - N f ){2 n - N F ) > 2 n . 
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We now shall prove that if equality holds then (i) is true, if (i) is satisfied then so is (ii) 
and if (ii) is true then equality holds. 

- If equality holds then, according to (1) and (2) : 

2" -AV =2-"sMF(t)) 2 (and 2"-^= ). 

sup(F(t))- 

Let f be the auto-correlation function associated with the function f(x) + x ■ t where 
(F(t)) 2 is maximal. By applying the previous lemma to the function f(x) + x - t, we 
obtain : 

f(s) = (F(t)) 2 and therefore : = 2"(2 n " - v r) = Yl T . 

Thus : Vs e G,r(s) - 0 or 2". We have : Vs € G,f{s) = (-Iff (s), and (i) is true. 

- If (i) is true, then let E be the set of all the elements x of G such that : 
f(x) = (-1)' x 2 n that is Vs e G,f(x 4- s) = f(s) + x ■ t. 

E is clearly a subspace of G. Let E' be any subspace of G such that G is the direct sum 
of E and E' . Then : 



Vt> 6 E' ,v ^ 0 => V £ E => r(n) = 0 => 



Thus (ii) is satisfied. 



- Suppose (ii) is true. We may without loss of generality suppose that t — 0 since chang- 
ing the value of t does not change Nf or .\' F . Then, the value of f(x + y) (x £ E.y 6 E') 
does not depend on x, and we have : 

*..+*.<«..« r, m -mz (-1)"—' = { ^ «* 

2"-.Y, = inland V, 6 G,F'(.) = £ r(x)(-l)-« = £ 2»(-l)" = { 



where £ x = {s £ G/Vx e £, s ■ x = 0}. 

So, 2 n - N F = jF 1 ! and (2 n - A r ^)(2 n - Ay) = 2". □ 
Remark -. 

1) We have in fact : Vx £ E, Vj/ £ G, /(x + y) = /(y) + < • x 
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2) We have proved : 



2" -N f 
2" 



> sup 




2»-iV 



1 



which shows the trade-offs between the highest correlation to linear functions (in the 
middle), a certain measure of correlation immunity (on the right) and the non- vanishing 
of the auto-coTrelation function. 

Definition 2.1 A function f which satisfies the equality (2" - N f )(2" - Nj.) — 2" is 
called partially-bent. 

Let / be a partially-bent function, E and E' two linear subspaces of G such that G is 
the direct sum of E and E', f is bent on E' and f(x + y) = f(y) +t.z, x € E,y € E' . 
Let <pf be the function denned on G x G by : jfff ( u > u) = /(0) + /(«) + /(v) + /(« + u). 
Then : Vx,a:' G S.Vy.y' € E',<pj(x + y,x' + j/) - fjiy,^). Since / | £ - is bent , the 
restriction of <pj to E' x E' is non-degenerate, and : 



E is the set of all the elements u of G such that <pj (u, u) = 0 Vu 6 G. 
Thus E is unique. 
Clearly, E' is not. 

If E has dimension n~2h, then t may take 2 2k values since the values of the linear form 
x — * t ' x are fixed only on E. 

Definition 2.2 Let f be a partially-bent function, <pj be the function defined on G x G 



The linear space E = {« € G/<pj{u,v) — Q Vi> £ G] is called the kernel associated with 



Any quadratic function is partially-bent (cf [6]) and the kernel associated with / is the 
kernel of its associated symplectic form <fij. 

Remark : 

1) The definition and the linearity of the set E are valid for any boolean function 

2) Since the degree of any bent function on a linear space of dimension 2p is at most 
p, the degree of a partially-bent function is at most the half of the codimension of its 
kernel. 



(•Pj(x + y,v) = Q Vd£G)«(j/ = 0). 



by: 



?/("> ») = /(0) + /(«) + /(«) + /(« + w). 



/• 
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3) the set of partially-bent functions on G is not a linear space : for instance, if n = 6, 
the non-quadratic partially-bent functions are the non-quadratic bent functions which 
all are known (cf [7]) and it is easy to find two bent functions whose sum is neither bent 
nor quadratic. 

4) The number of partially-bent functions seems to be difficult to obtain : it depends on 
the number of bent functions which is unknown (except for small values of n). 

5) Let / be a boolean quadratic function on G and 1 an affine boolean function on the 
same space, then the following boolean function on {0, : 

Oi , . . . , x n , x„+i) G {0, l} n+1 — f{xi ,...,x n ) + r„ +1 . -.,x n ) 

is quadratic and any quadratic function on {0, l} n+1 is of that type (thus, the number 
of quadratic functions on {0, equals the number of quadratic functions on {0, l} 71 , 
times 2" + 1 ). Thai is no more true if we replace "quadratic" by "partially-bent" '. 

3 Properties of partially-bent functions 

Since the authors conjecture in [6] that, if n is even, the non-quadratic partially-bent 
functions satisfy PC(n), let us begin with the propagation criterion : 

Proposition 3.1 .4 partially-bent function f on G satisfies PC(k) (k = l,...,n) if and 
only if its associated heme! E only contains elements of Hamming weight > k, or equal 
to 0. 

Proof: The proof is straightforward : f(x) = 0 if and only if x £ E. D 

Thus, the second parts of the conjectures stated by B. Preneel in [6] and at Las Ve- 
gas Conference on Finite Fields (which characterize the functions for which equality 
holds) are false : 

if n is even, suppose that E contains an element of weight 1, then / does not satisfy 
PC(l), 

if n is odd, 2" — A' r - — \E\ may be any odd power of 2. and if the codimension of E is at 
least 6, then / may be non-quadratic. 

Remark : 

The number of partially-bent functions satisfying PC(k) seems to be even more difficult 
to obtain than that of the partially-bent functions : it depends on the number of linear 
spaces of minimum weights greater than k, which is unknown except for small values of n.. 
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The weight of a boolean function on G is the size of its support. A function f(x) is 
called balanced if its weight is 2 n_1 , that is if F(0) = 0. 

Proposition 3.2 A partially-bent function f on G is balanced if and only if its restric- 
tion to its associated kernel is non-constant, thai is if and only if there exists an element 
u in G such, that : 

Vi£C : /(i + u) = /(i) + l. 

Otherwise, its weight is equal to 2 n_1 ± 2 n - 1 - h (h <=N.h< n/2). 

Proof: Let / be a partially-bent function, E its associated kernel, and E' a subspace 
such that G is the direct sum of E and E' . 

F(0) is equal to : ^(-l) /fu) = ^(-l)'' 1 Yl (-^^ and these two last sums satisfy : 
£ (-!)'<*) = ±y /m *0 since f \ E , is bent, and : £(-!)"={ ^l^thL 



\E\ otherwise. 

yeE> raE l - 

Thus. / is balanced if and only if t does not belong to E 1 , that is if and only if / 
is non-constant on E. 

In that case, let u be any element in E\t x . where f 1 = {x 6 Gjx ■ t — 0}. We have : 

Va: £ G,f(x + u) = f(x) 4- t.u = f(x) + 1. 
Conversely, if u satisfies that property, then / is non-constant on E. 

If / is non-balanced, suppose E has dimension n — 2h, then the sum ^^( — l)^ u \ which 

is equal to 2 n - 2w(f), is also equal to : ±\E\ X /\E T \ = ±2 n ~ 2h 2 h = ±2"-". 

So, w(f) = 2"- 1 ± 2 n ~ h - 1 . - 

Proposition 3.3 The number A„ of partially-bent balanced functions on G — {0, 1}" 
is equal to (2" — 1) times the number X n -\ °f partially-bent non-balanced functions on 
{CU}"" 1 (n>2). 

Proof: Let / be a partially-bent balanced function on G and E its associated kernel 
(since / is balanced, E is not the trivial space {0}). 

Let E' be a subspace of G such that G is the direct sum of E and E' , t any element of 
G such that f(x + y) = f(y) + t.x, x e E, y 6 E' (t ^ 0 since / is balanced) and H the 
linear hyperplane t x = {x £ Gjx ■ t — 0}. 

Let <i> : {0, l}" -1 — ► H be a linear isomorphism. Then the boolean function g — f ° Q 
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is clearly partially-bent of associated kernel <j> 1 {E). According to proposition 3.2, it is 
non-balanced since : 

Vx G <p-' L {E);iy £ o-\E'),g(x + y) = g(y). 

Let us now calculate the number of (H. 0 , g) so associated with / : 

suppose E has dimension n — 2h(2h < n), then the set of all the possible values oft is 

an affine set of direction E 1 - , so its size (which is the number of possible H) is 2 2h . 

H being chosen, there exists (cf [5]) (2"" 1 - l)(2 n_1 -2) . . .(2 n ~ 1 -2 n ~ 2 ) isomorphisms 

<p from {0. to H , and if H and <j> are chosen, then g is unique. So the number of 

(H,<p,g) associated with / is 2 2A (2 n_1 - l)...(2 n_1 - 2" -2 ). 

Notice that the dimension of the associated kernel <p~ 1 {E) of g is n — 1 — 2h > 0. 

Let now g be any partially-bent non-balanced function on {0, suppose its as- 

sociated kernel E" has dimension n - 1 — 2h, and let H be a linear hyperplane of {0, l} n 
and <p an isomorphism from {0, l} n_1 onto H . Let us calculate the number of partially- 
bent balanced functions / on G such that g = f o o. 

The associated kernel E of f necessarily contains <i>{E"), has dimension n — 2h, and is not 
contained in H . So. it is equal to a linear space of the type : {u-i- v. u £ o(E"), v S {0, s}} 
where s is any element outside H . The number of such E is equal to the number of such 
elements s in {0, 1}"\H , divided by the size of o(E"), since two elements a- and s' define 
the same set E if and only if s + s' belongs to &(E"). The number of kernels E is therefore 
2 2 *. 

E being chosen. / is unique since the value of / on E\<p(E") must be equal to /(0) + 1. 
So the number of partially-bent balanced functions / on G corresponding to (H.o.g) 
is 2~ h and the number X n of partially-bent balanced functions on G equals the number 
of ordered pairs {H. g) where H is any linear hyperplane and g any partially-bent non- 
balanced function on {0, l}"" 1 . The number of linear hyperplanes being 2" - 1, we have 
A B = (2 n -l)A;_ 1 . 



Remark ■. 

1) The previous proof is valid when we restrict ourselves to the quadratic functions since 
/ is quadratic if and only if g is quadratic. 

Therefore, the number fj n of balanced quadratic functions on G is equal to (2" — 1) times 
the number fi' n _ 1 of non-balanced quadratic functions on {0, l} n ~ 1 (n > 2). 
This result can be recovered by another way : the number mn is known (cf[5j) : 

Mn = 2 (3) +B + . _ 2 _ 2 y 2 ^+D (2"-l)...(2"- 2 ^-l) 
M ^ (2=?'-l)(2 2 '" 2 -l)...(2 2 -l) 
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(where [j denotes the integer part), and therefore equality fi n = (2" — 1 ) /^^ _ x is equivalent 
with : 

2(;)+"+i - 2 - 2 V 2*»+» (2"-l)...(2"-^ +1 -l) = 

Z-^ ( 2 2h _ l)( 2 2h-2 _ 1)...(2 2 - 1) 

ill 



i h (2»-l)...(2*-l) 



That last equality is checked in [21. 

2) Proposition 3 would give us a chance to evaluate the number of partially- bent balanced 
functions if the number of partially-bent functions was known. 
That is not the case, but we have : 

Proposition 3.4 The number of balanced quadratic functions on G is greater than that 
of the quadratic non-balanced functions when n is odd and smaller when n is even. 

Proof: Let fi n (respectively fi' n ) be the number of quadratic balanced (respectively non- 
balanced) functions on G. 

Since the number of quadratic functions is 2^ 2 ) + l (cf [5]), we have : 

Vn>2, M ! l = 2t^') + 1 -(2"-lK_ 1 . 

Let us prove by induction on n that : 

H„ < fi' n , that is n' n > 2^ 2 > if n is even, n > 2 

fi n > fi' n , that is fi' n < 2^ ^ ) if n is odd, n > 3. 

That is true for n = 2, 3 since fin = 6, /zj, = 10. /J3 = 70, fi' z = 58. 

Suppose it is true for odd n > 2, then : 

Ai'„ < 2("?') => ^' n + , > 2<^)+ 1 - (2-+ 1 - 1)2("?') 

= 2(T) + 2 ("r) 

=>^ +2 <2("n+i_ ( 2»+2-i)(2("n + 2 ( n r) 

= 2("r)-2(i 1 ) + 2("J 1 ) 

<2 m. 

And the proof is complete. 
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Proposition 3.5 A partially-bent function defined by : Vx € E,My £ E',f(x + y) = 
f{y) + t- x IS kth-order correlation-immune (respectively kth-order correlation-immune 
and balanced) if and only if t + E 1 - only contains elements of Hamming weight greater 
than k or equal to 0 (respectively greater than k). 

Proof: We have : 

z€E,y€E' x£E j(g J?' 

Since / is bent on E' , the sum ^ (_i)/(!/.)+y- 3 j s different from 0. 

y€E' 

Therefore : F(s) ^0-»s + t££ x . a 
Remark : 

If / is non-balanced, then we may take t — 0 and the condition becomes : 
£'- L \{0} only contains elements of Hamming weight greater than k. 

According to the singleton bound (cf [5]), we then have : dim E L < n — k and since the 
degree of the restriction of / to a subspace E' of G is bounded by dim£"/2 (cf [4]). the 
degree of / is bounded by (n — k)/2. 

So, there does not exist any function which would be partially-bent and kth-order cor- 
relation immune of maximal degree : the maximal degree of the kth-order correlation 
immune functions is n — k (cf i9j). 

On the contrary, there does exist partially-bent balanced k-th order correlation-immune 
functions of maximal degree (that degree is n — k — l) : see [lj or [2] for the case k = n — 3. 

4 Conclusion 

The main interest of the class of quadratic functions is in its nice properties : we know 
the weights of the functions and we can characterize the functions which satisfy PC(k), 
those which are balanced, kth-order correlation-immune. But the quadratic functions 
are of a poor interest from a cryptographic point of view since they are too simple. 

The class of partially-bent functions shares the same qualities since all the properties 
of the quadratic functions can be generalized to the partially-bent functions (with three 
exceptions : it is not a linear space, we are not able to calculate its size or to give the 
general algebraic normal form of these functions). 

The interest of this class of functions is greater from a cryptographic point of view be- 
cause the partially-bent functions involve bent functions whose complexity may be great 
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(clearly, a partially-bent function will have a high level of nonlinearity if its associated 
kernel is small). 
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Abstract. This paper presents three methods for strengthening pub- 
lic key cryptosystems in such a way that they become secure against 
adaptively chosen ciphertext attacks. In an adaptively chosen ciphertext 
attack, an attacker can query the deciphering algorithm with any cipher- 
texts, except for the exact object ciphertext to becryptanalyzed. The first 
strengthening method is based on the use of one-way hash functions, the 
second on the use of universal hash functions and the third on the use 
of digital signature schemes. Each method is illustrated by an example 
of a public key cryptosystem based on the intractability of computing 
discrete logarithms in finite fields. Two other issues, namely applications 
of the methods to public key cryptosystems based on other intractable 
problems and enhancement of information authentication capability to 
the cryptosystems, are also discussed. 

1 Introduction 

A considerable amount of research has been done in recent years, both from the 
theoretical [BFM88, NY90, DDN91, RS92] and practical [Dam92] points of view, 
in the pursuit of the construction of public key cryptosystems secure against 
chosen ciphertext attacks. In such an attack, the attacker (cryptanalyst) has 
access to the deciphering algorithm of a cryptosystem. The attacker can query 
the deciphering algorithm with any ciphertexts, obtain the matching plaintexts 
and use the attained knowledge in the cryptanalysis of an object ciphertext. 

The theoretical results are appealing in that the schemes which embody them 
are provably secure under certain assumptions. However, most of these schemes 
are impractical due to the large expansion of the resulting ciphertext. The recent 
and notable schemes by Damgard overcome the problem of impracticality, but 
they are totally insecure against adaptively chosen ciphertext attacks in which 
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an attacker has access to the deciphering algorithm even after he or she is given 
an object ciphertext to be cryptanalyzed. The attacker is allowed to query the 
deciphering algorithm with any ciphertext, except for the exact object ciphertext. 

Adaptively chosen ciphertext attacks would impose serious problems on many 
services provided by modern information technology. To illustrate the possible 
attacks, consider the case of a security-enhanced electronic mail system where 
a public key cryptosystem is used to encipher messages passed among users. 
Nowadays it is common practice for an electronic mail user to include the original 
message he or she received into a reply to the message. For instance, a reply to 
a message may be as follows 

(original message) 

> 

> Hi, is Yum-Cha still on tonight ? 

> 

(reply to the message) 
Yes, it's still on. I've already made the bookings. 



this practice provides an avenue for chosen ciphertext attacks, as an attacker 
can send a ciphertext to a target user and expect the user to send back the 
corresponding plaintext as part of the reply. Now suppose that a user Alice is in 
the process of negotiating, through the electronic mail system, with two other 
users Bob and Cathy who are rivals of each other in a business. Let c be a 
ciphertext from Bob to Alice. Naturally, Cathy would like to know the contents 
of the communications between Alice and Bob. Cathy can obtain the ciphertext 
c by eavesdropping. However, it would be infeasible for her to extract its contents 
immediately. Instead, Cathy might try to discover implicitly the contents of c 
through discussions with Alice using the electronic mail. The problem facing 
Cathy is that she can not simply pass c to Alice with the hope that Alice would 
include the contents of c into her reply, as Alice would detect that c is actually a 
ciphertext created by Bob but not by Cathy. Nevertheless, if the cryptosystem is 
insecure against adaptively chosen ciphertext attacks, Cathy might still be able 
to obtain indirectly what she wants in the following way 

1. Send Alice ciphertexts c x , c 2 , . . ., c n , none of which is the same as the object 
ciphertext c. 

2. Receive the matching plaintext messages (hopefully) and 

3. Extract the contents of c by the use of information obtained from the n 
plaintext-ciphertext pairs. 

In this paper we present three pragmatic methods for immunizing public key 
cryptosystems against adaptively chosen ciphertext attacks. The first method is 
based on the use of one-way hash functions, the second on the use of univer- 
sal hash functions and the third on the use of digital signature schemes. Each 
method is illustrated by an example of a public key cryptosystem based on 
the intractability of computing discrete logarithms in finite fields. Security of 
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the three cryptosystems against adaptively chosen ciphertext attacks is formally 
proved under reasonable assumptions. 

In Section 2, we introduce notion and notations that are needed, and sum- 
marize various types of possible attack to cryptosystems. In Section 3 previous 
proposals together with their problems are reviewed. Our immunization meth- 
ods are illustrated in Section 4, by three public key cryptosystems based on the 
intractability of computing discrete logarithms in finite fields. Section 5 is con- 
cerned with two other issues, namely applications of the immunization methods 
to public key cryptosystems based on other intractable problems, such as the 
problem of factoring large composite numbers, and the addition of information 
authentication capability to the three cryptosystems. Finally Section 6 presents 
some concluding remarks. 

The reader is directed to [ZS93] where the three cryptosystems are formally 
proved to be secure against adaptively chosen ciphertext attacks. 

2 Notion and Notations 

We will be concerned with the alphabet E — {0,1}. The length of a string x 
over S is denoted by \x\, and the concatenation of two strings x and y is denoted 
by x\\y. The bit- wise exclusive-or of two strings x and y of the same length is 
denoted by x@y. The t'-th bit of x is denoted by X{ and the substring of x from 
X{ to Xj, where i ^ j, is denoted by £[;..._,■]. #5 indicates the number of elements 
in a set S. and x£rS means choosing randomly and uniformly an element x 
from the set 5. The Cartesian product of two sets 5 and T is denoted by S x T. 

Denote by IN the set of all positive integers, and by n a security param- 
eter which determines the length of messages, the length of ciphertexts, the 
security of cryptosystems etc. As in the Diffie-Hellman/ElGamars public key 
scheme [DH76, E1G85], p is an ra-bit prime and g is a generator for the multi- 
plicative group GF(p)* of the finite field GF(p). Both p and g are public. To 
guarantee the security of cryptosystems based on the discrete logarithm prob- 
lem, the length n of p should be large enough, preferably n > 512, and p — 1 
should contain a large prime factor [PH78, L091]. Unless otherwise specified, 
all exponentiation operations appearing in the remaining part of this paper are 
assumed to be over the underlying groups. 

Note that there is a natural one-to-one correspondence between strings in S n 
and elements in the finite field GF(2 n ). Similarly, there is a natural one-to-one 
correspondence between strings in E n and integers in [0,2" — 1]. Therefore, we 
will not distinguish among strings in S n , elements in GF(2 n ) and integers in 
[0,2" -1]. 

A public key cryptosysiem, invented by Diffie and Hellman [DH76], consists 
of three polynomial time algorithms (C,E,D). C is called a key-generation al- 
gorithm which, on input n, generates probabilistically a pair (pk,sk) of public 
and secret keys. Following the tradition in the field, when a security parameter 
n is used as input to an algorithm, it will be represented by the all-1 string of 
n bits which is denoted by l n . E is called an enciphering algorithm which, on 
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input a public key pk and a plaintext message m, outputs a ciphertext c. Here m 
is chosen from a message space M n . D is called a deciphering algorithm which, 
on input a secret key sk and a ciphertext c, outputs a message m or a special 
symbol 0 meaning "no plaintext output". E and D satisfy the following unique 
decipherability condition, namely D(sk,E(pk,m)) — m. 

There are four common types of attack to a cryptosystem, namely cipher- 
text only attacks, known plaintext attacks, chosen plaintext attacks and chosen 
ciphertext attacks [Riv90]. Related attacks against digital signatures are fully 
discussed in [GMR88]. 

In a ciphertext only attack, which is the least severe among the four types of 
attack, an attacker is given an object ciphertext and tries to find the plaintext 
which is hidden in the object ciphertext. 

In a known plaintext attack, an attacker has a collection of plaintext-ciphertext 
pairs besides an object ciphertext. The attacker may use the knowledge gained 
from the pairs of plaintexts and ciphertexts in the cryptanalysis of the object 
ciphertext. 

In a chosen plaintext attack, an attacker has access to the enciphering algo- 
rithm. During the cryptanalysis of an object ciphertext, the attacker can choose 
whatever plaintexts he or she desires, feed the enciphering algorithm with the 
desired plaintexts and obtain the corresponding ciphertexts. Note that this type 
of attack is always applicable to a public key cryptosystem, since the attacker 
always has access to the public enciphering algorithm. 

In a chosen ciphertext attack, which is the most severe among the four types 
of attack, an attacker has access to the deciphering algorithm. The attacker can 
query the deciphering algorithm with any ciphertexts and obtain the correspond- 
ing plaintexts. Then the attacker can use the knowledge obtained in the query 
and answer process to extract the plaintext of an object ciphertext. 

Researchers further distinguish two forms of chosen ciphertext attack: indif- 
ferently chosen ciphertext attacks and adaptively chosen ciphertext attacks. An 
indifferently chosen ciphertext attack is also called a hnchtime attack or a mid- 
night attack [NY90]. In such an attack the ciphertexts fed into the deciphering 
algorithm are chosen without being related to the object ciphertext. However 
the ciphertexts fed into the deciphering algorithm may be correlated with one 
another. This form of attack models the situation where the attacker has ac- 
cess to the deciphering algorithm before he or she is actually given the object 
ciphertext. 

In adaptively chosen ciphertext attacks all ciphertexts fed into the decipher- 
ing algorithm can be correlated to the object ciphertext. This form of attack 
is more severe than the indifferently chosen ciphertext attacks and it models 
the situation where the attacker has access to the deciphering algorithm even 
after he or she is given the object ciphertext. The attacker is thus permitted 
to give the deciphering algorithm any available ciphertexts, except for the exact 
object ciphertext, and obtain the matching plaintexts. See the Introduction for 
a practical application where adaptively chosen ciphertext attacks would be a 
considerable threat. 
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3 Problems with Previous Proposals 

Rabin pioneered the research of constructing provably secure public key cryp- 
tosystems by designing a public key cryptosystem with the property that extract- 
ing the complete plaintext of an object ciphertext is computationally equivalent 
to factoring large numbers [Rab79]. Goldwasser and Micali invented the first 
public key cryptosystem that hides all partial information [GM84]. The cryp- 
tosystem is a probabilistic one and it enciphers a plaintext in a bit-by-bit manner. 
A common drawback of these and many other cryptosystems is that, although 
secure against chosen plaintext attacks, they are easily compromised by chosen 
ciphertext attackers. On the other hand, much progress has been made in recent 
years in the construction of public key cryptosystems secure against chosen ci- 
phertext attacks. We will review this development, and point out problems and 
weakness of the proposed schemes. 

3.1 Theoretical Results 

Theoretical study into the construction of public key cryptosystems secure against 
chosen ciphertext attacks was initiated by Blum, Feldman and Micali [BFM88], 
who suggested the potential applicability of non-int eractive zero-knowledge proofs 
to the subject. Naor and Yung carried further the study and gave the first con- 
crete public key cryptosystem that is (semantically) secure against indifferently 
chosen ciphertext attacks [NY90]. Rackoff and Simon considered a more severe 
type of attack, namely adaptively chosen ciphertext attacks, and gave a con- 
crete construction for public key cryptosystems withstanding the attacks [RS92]. 
In [DDN91] Dolev, Dwork and Naor proposed a non-malleable (against chosen 
plaintext attacks) public key cryptosystem and proved that the cryptosystem is 
also secure against adaptively chosen ciphertext attacks. 

All of these cryptosystems are provably secure under certain assumptions. 
However since they rely heavily on non-interactive zero-knowledge proofs, the 
resulting ciphertexts are in general much longer than original plaintexts. This 
disadvantage makes the cryptosystems highly impractical and difficult to realize 
in practice. 

3.2 Damgard's Schemes 

In [Dam92], Damgard took a pragmatic approach to the subject. He proposed 
two simple public key cryptosystems that appear to be secure against indiffer- 
ently chosen ciphertext attacks. The first is based on deterministic public key 
cryptosystems. Let (E 0 ,Dq) be the pair of enciphering and deciphering algo- 
rithms of a deterministic public key cryptosystem. Let (pki,ski) and (pfc2i s ^2) 
be two pairs of public and secret keys and h be an invertible one-to-one length- 
preserving function. The enciphering algorithm of Damgard's first cryptosystem 
operates in the following way. 



E(pk 1 ,pk 2l m) = (Ev(pki,r), E 0 {pk 2 ,h(r)) © m) = (c lt c 7 ) 
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where m £ E" is a plaintext message and r£nE n is a random string. The 
corresponding deciphering algorithm is as follows: 



Damgard's second scheme is based on the Diffie-Hellman/ElGamal public 
key cryptosystem [DH76, E1G85], whose security relies on the intractability of 
computing discrete logarithms in finite fields. A user Alice's secret key is a pair 
(xai,xa2) of elements chosen independently at random from [l,p— 1]. Her public 
key is (yAi>3M2)> where yAi — g XAl and yA2 = g XA2 - When a user Bob wants to 
send an n-bit message m in secret to Alice, he sends her the following enciphered 
message 



where r£ft[l,p-l]. Note that here n is the length of the primep. The deciphering 
algorithm for Alice, who possesses the secret key {xa[,xa2), is as follows 



Here 0 is a special symbol meaning "no plaintext output". 

Although Damgard's schemes are very simple and seem to be secure against 
indifferently chosen ciphertext attacks, they are insecure against adaptively cho- 
sen ciphertext attacks. Given an object ciphertext c (c = (ci.cj) for the first 
scheme, and c = (ci.C2,c 3 ) for the second scheme), an attacker can choose a 
random message m r from E n , calculate the bit-wise exclusive-or of m r and the 
last part of the ciphertext c, and feed the deciphering algorithm with the modi- 
fied ciphertext c' . The attacker will get m' — m © m r as an answer, and obtain 
the desired message 2 m by computing m' © m r . Our cryptosystems to be de- 
scribed below share the same simplicity possessed by Damgard's cryptosystems, 
yet they attain a higher level of security, namely security against adaptively 
chosen ciphertext attacks. 

4 Strengthening Public Key Cryptosystems 

This section presents three simple methods for immunizing public key cryptosys- 
tems against chosen ciphertext attacks. The nature of the three immunization 

2 One might argue that, since at least half bits in the original ciphertext c remain 
untouched in the modified ciphertext c , adding a checking step to the deciphering 
algorithms would effectively thwart the attack. This countermeasure, however, does 
not work in general, as the deciphering algorithms may not know c. Even if the 
deciphering algorithms have a list of ciphertexts containing c, a more sophisticated 
attacker might still succeed in extracting m by generating c in such a way that it 
passes the checking step. 



D(sk u pk 2 ,ci,c 2 ) — Ea(pk- 2 , h(D 0 (sk t , ci))) © c 2 



E(yAi,yA2,P,g,m) - {g r , y T A \, y A 2 ® m ) = ( c i< c 2> c 3) 
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methods is the same — they all immunize a public key cryptosystem by append- 
ing to each ciphertext a tag that is correlated to the message to be enciphered. 
This is also the main technical difference between our proposals and Damgard's 
schemes. The three methods differ in the ways in which tags are generated. In 
the first method tags are generated by the use of a one-way hash function, in 
the second method by the use of a function chosen from a universal class of hash 
functions, and in the third method by the use of a digital signature scheme. 
The second immunization method is superior to the other two immunization 
methods in that no one-way hash functions are needed. This property is particu- 
larly attractive given the current state of research, whereby many one-way hash 
functions exist, few are efficient, and even fewer are provably secure. 

We will illustrate our immunization methods with cryptosystems based on 
the Diffie-Hellman/ElGamal public key scheme. In Section 5, applications of the 
immunization methods to cryptosystems based on other intractable problems 
will be discussed. Denote by G the cryptographically strong pseudo-random 
string generator based on the difficulty of computing discrete logarithms in fi- 
nite fields [BM84, LW88, Per85]. G stretches an n-bit input string into an output 
string whose length can be an arbitrary polynomial in n. This generator pro- 
duces O(logn) bits output at each exponentiation. In the authors' opinion, for 
practical applications the generator could produce more than — ■ bits at each 
exponentiation, without sacrificing security. Recently Micali and Schnorr dis- 
covered a very efficient pseudo-random string generator based on polynomials in 
the finite field GF{p) (see Section 4 of [MS91]). The generator can produce, for 
example, ^ bits with 1.25 multiplications in GF{p). The efficiency of our cryp- 
tosystems to be described below can be further improved if Micali and Schnorr 's 
pseudo-random string generator is employed. 

A user Alice's secret key is an element x A chosen randomly from [i,p — 1], 
and her public key is y A = g XA . It is assumed that all messages to be enciphered 
are chosen from the set E F . where P — P(n) is an arbitrary polynomial with 
P(n) ^ n. Padding can be applied to messages whose lengths are less than n 
bits. In addition, let £ — £(n) be a polynomial which specifies the length of tags. 
It is recommended that £ should be at least 64 for the sake of security. 

4.1 Immunizing with One- Way Hash Functions 

Assume that h is a one-way hash function compressing input strings into £-bit 
output strings. A user Bob can use the following enciphering algorithm to send 
in secret a P-bit message m to Alice. 

Algorithm 1 E owh (y A ,p,g,m) 
1. xe R [l,p-l]. 
2- z = G(y x A )[i.. ( P+t )]. 

3. t = h{m). 

4. c x = g T . 

5. c 2 = z0 (m\\t). 

6. output (ci .Co). 

end 



299 



The deciphering algorithm for Alice, who possesses the secret key xa, is as 
follows: 

Algorithm 2 D owh {x A ,p.g,ci,c 2 ) 

1. z' = Gtf*) [v ... (P+l)] . 

2. w = z' © e 2 . 

3. ml = W[y...p]. 

4. t' - w[(p+i)...(p +t )]. 

5. if h(m') ~ t' then 

output (m') 
else 
output (0). 

end 

When messages are of n bits, i.e. P — n, instead of the one-way hash function 
h the exponentiation function can be used to generate the tag t. In this case, 
the enciphering algorithm can be modified as follows: (a) Change the step 2 
to "z = G(y^)[i... 2 „]." (b) Change the step 3 to "t = g m ." The deciphering 
algorithm can be modified accordingly. 

4.2 Immunizing with Universal Hash Functions 

A class H of functions from E p to U l is called a (strongly) universal class of 
hash functions [CW79. WC81] mapping P-bit input into P-bit output strings if 
for every x\ ^ x 2 € S p and every 2/1,2/2 € E l , tne number of functions in H 
taking x\ to j/i and x 2 to t/ 2 is #H/2 21 . An equivalent definition is that when h is 
chosen uniformly at random from H , the concatenation of the two strings h{x\) 
and h(x2) is distributed randomly and uniformly over the Cartesian product 
E l x E l . Wegman and Carter found a nice application of universal classes of 
hash functions to unconditionally secure authentication codes [WC81]. 

Now assume that // is a universal class of hash functions which map P-bit 
input into i-h\t output strings. Also assume that Q — Q(n) is a polynomial and 
that each function in H is specified by a string of exactly Q bits. Denote by h, 
the function in H that is specified by a string s G S Q . The enciphering algorithm 
for Bob who wants to send in secret a P-bit message m to Alice is the following: 

Algorithm 3 E uhf (y A; p,g,m) 

1- xEr[1,p- 1]. 

2. r = ifi. 

3. z = G(r)[!...p]. 

4. s = G(r) [(P+l) . iP+Q)] . 

5. ci = g T . 

6. c 2 = ft,(m). 

7. c 3 = z © m. 

8. Output (Ci,C 2 ,C3). 

end 
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The deciphering algorithm for Alice, who possesses the secret key x^, is as 
follows: 



Algorithm 4 D uh f(x A] p,g,ci,c 2 ,C3) 

1. r' = c{ A . 

2. z>=G(r%. . P] . 

3. s' = G{r') [(P+l) ..(p+q)]. 

4. rri = z' 8 c 3 . 

5. if h s i(m') = C2 then 

output (m') 
else 
output (0). 

end 



Note that the second part c 2 = h s (m) in the ciphertext can be obscured 
in the same way as Algorithm 1. This would improve practical security of the 
cryptosystem, at the expense of more computation time spent in generating 
pseudo-random bits. 

The following is a simple universal class of hash functions which is originated 
from linear congruential generators in finite fields. (See also Propositions 7 and 8 
of [CW79].) Let k be an integer. For k+l elements a\ , a->, . . . , a*, 6 £ GF(2 i ), 
let s be their concatenation, i.e.. s = ai||a2|| • - ■ and let h, be the function 

defined by h s {x\ . x 2 , . . . , x^) = + b where xi, ■ ■ . , x^ are variables 

in GF{2 1 ). Then the collection H of the functions h s defined by all k+l elements 
from GF{2 1 ) is a universal class of hash functions. Functions in H compress K- 
bit input into £-bit output strings. By padding to input strings, these functions 
can be applied to input strings whose lengths are not exactly kt. In particular, 
when k — fy], they can be used to compress P-bit input into f-bit output 
strings. In this case, a function in H can be specified by a string of Q = P + 
(1 + a)t bits, where 0 ^ a — Pm ° dt < 1 This universal class of hash functions is 
particularly suited to the case where the length P of messages to be enciphered 
is much larger than the length £ of tags. We refer the reader to [WC81, Sti90] 
for other universal classes of hash functions. 



4.3 Immunizing with Digital Signature Schemes 



Assume that h is a one-way hash function compressing input strings into rc-bit 
output strings. Also assume that Bob wants to send in secret a P-bit message 
m to Alice. The enciphering algorithm employed by Bob is the following: 
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Algorithm 5 E sig (y A ,p,g,m) 

1. xE R [l,p- 1]. 

2. k€.n[l,p- 1] such that gcd(k,p— 1) = 1. 

3. r = j£+*. 

i. z = G(r) {1 . P] . 

5. ci = g x . 

6. c 2 = 

7. c 3 = (/i(m) — xr)/k mod (p — 1). 

8. c 4 = z 9 m. 

9. Output (ci,C2,C3, C4). 

end 

The corresponding deciphering algorithm for Alice, who possesses the secret 
key xa, is as follows: 

Algorithm 6 D jis (a: A ,p,y, ci, c 2; c 3 ,c 4 ) 

1. r ' = {cyc 2 ) XA . 

2. *' = G(r')[i...p]. 

3. m' - z' © c 4 . 

4. if g h< ~ m "> = c\c r 2 * then 

output (m') 
else 
output (0). 

end 

Similar to the cryptosystem based on the use of universal hash functions 
described in Section 4.2, security of the cryptosystem can also be improved by 
hiding the third part c 3 = (h(m) — xr)jk mod (p — 1) with extra pseudo-random 
bits produced by the pseudo-random string generator G. In addition, when mes- 
sages to be enciphered are of n bits, neither the one-way hash function h nor 
the pseudo-random string generator G is necessary. The enciphering algorithm 
for this case can be simplified by changing the step 4 of the above enciphering 
algorithm to "z = r." and the step 7 into "c 3 = (m - xr)jk mod (p - 1)." The 
deciphering algorithm can be simplified accordingly. 

The first three parts (01,02,03) of the ciphertext represents an adaptation 
of the ElGamal's digital signature. However, since everyone can generate these 
parts, they do not really form the digital signature of m. This immunization 
method was first proposed in [ZHS91], where other ways for generating the third 
part C3 in the ciphertext were also suggested. 

In [ZS93] it is proved that, under reasonable assumptions, all the three cryp- 
tosystems are secure against adaptively chosen ciphertext attacks. We introduce 
in the paper an interesting notion called sole-samplability, and apply the notion 
m the proofs of security. 

5 Extensions of the Cryptosystems 

We have focused our attention on cryptosystems based on the discrete loga- 
rithm problem in finite fields. The cryptosystems can also be based on discrete 
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logarithms over other kinds of finite abelian groups, such as those on elliptic or 
hyper-elliptic curves defined over finite fields [Kob87, Kob89]. Another variant 
of the cryptosystems is to have a different large prime for each user. This variant 
can greatly improve practical security of the cryptosystems when a large number 
of users are involved . 

Our first two methods for immunization, namely immunization with one-way 
hash functions and immunization with universal hash functions, can be applied 
to public key cryptosystems based on other intractable problems. For example, 
the methods can be used to immunize the probabilistic public key cryptosys- 
tem proposed in [BG85], which is based on the intractability of factoring large 
composite numbers. The methods might be extended further in such a way that 
allows us to construct from any trap-door one-way function a public key cryp- 
tosystem secure against adaptively chosen ciphertext attacks. 

Authentication is another important, aspect of information security. In many 
situations, the receiver of a message needs to be assured that the received mes- 
sage is truly originated from its sender and that it has not been tampered 
with during its transmission. Researchers have proposed many, unconditionally 
or computationally, secure methods for information authentication [Sim88]. We 
take the second cryptosystem which uses universal has functions as an example 
to show that our cryptosystems can be easily added with information authenti- 
cation capability. 

To do so, it is required that the sender Bob also has a pair (y^, ig) of public 
and secret keys. Information authentication is achieved by letting Bob's secret 
key xb be involved in the creation of a ciphertext. More specifically, we change 
the step 2 of the enciphering Algorithm 3 to "r = y r x B+x ." and the step 1 of the 
corresponding deciphering Algorithm 4 to 'V = (yB c iY A " Although cipher- 
texts from Alice to Bob are indistinguishable from those from Bob to Alice, it 
is infeasible for a user differing from Alice and Bob to create a ''legal" cipher- 
text from Alice to Bob or from Bob to Alice. This property ensures information 
authentication capability of the cryptosystem. It is not hard to see that com- 
puting g x i( x i+ x *) from g* 1 , g* 2 and g X3 , and computing g Xl * 2 from g Xl and g x - , 
are equally difficult. Therefore the authentication-enhanced cryptosystem is as 
secure as the original one. 

The first cryptosystem which is based on the use of a one-way hash function 
can be enhanced with information authentication capability in a similar way. 
For the third cryptosystem, the capability can be added by simply replacing x, 
a random string chosen from [l,p — 1], with Bob's secret key xb- 

6 Conclusions 

We have presented three methods for immunizing public key cryptosystems 
against chosen ciphertext attacks, among which the second immunization method 
based on the use of universal hash functions is particularly attractive in that no 
one-way hash functions are needed. Each immunization method is illustrated by 
an example of a public key cryptosystem based on the intractability of com- 
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puting discrete logarithms in finite fields. The generality of our immunization 
methods is shown by their applicability to public key cryptosystems based on 
other intractable problems, such as that of factoring large composite numbers. 
An enhancement of information authentication capability to the example cryp- 
tosystems has also been suggested. 
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Abstract 

A zero-knowledge identification scheme buill upon ihe so-called Permuted 
Kernel Problem (PKP) was proposed by Adi Shamir in 1989 [1]. 
In this paper, we present a lime-memory trade-off leading to a reduction of 
the computation time for solving the PKP problem, as compared with the 
best known attack mentioned in [1J. 



1. Introduction 

In 1989, Adi Shamir proposed a new identification scheme, based on the intractability of the Permuted 
Kernel Problem (PKP)[1]. This scheme requires quite limited time, memory and communication resources, 
and is well suited for smart card implementation. 

This paper investigates the security of the new scheme for some of the parameter values suggested in [1] as 
possible choices, subject to a further analysis of their security. Our main conclusion is that the smallest 
parameter values mentioned in [1] (n=32; m=16; p=251) are not recommended, at least for applications 
with strong security requirements. As a matter of fact, we show that for these values there exists a very 
simple time-memory trade-off leading to a faster solution of the PKP problem than the best known attack 
mentioned in [1]. For larger parameter values, this time-memory trade-off does not endanger the practical 
security of the PKP scheme, while the time, space and communication complexities of the PKP scheme 
stay within acceptable limits. 
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2. The Permuted Kernel Problem 

We are using, as far as possible, the notations of [1]. 
The PKP problem is the following : 
Given : 

a prime number p; 

a mxn matrix A= (ajj) i=i ..m;j=l ..n overZ/pZ; 
a n-vector V = (Vj)j_i n overZ/pZ 

Find : a permutation iz over ( l,..,n) such that A.V^ = 0, where Vjj = fV^pj-i n . 

In the PKP identification scheme, each prover uses a public instance (p,A,V) of the above problem. The 
values p. A, V are generated as follows : 

- p and A are fixed values agreed by the users (and can be used by several proveTs). We will here assume 
that A is of rank m and is generated under the form [AM], where A' is a fixed m x (n-m) matrix and I is the 
m x m identity matrix, (As mentioned in [1], this is not restrictive because both the prover and the verifier 
can apply Gaussian elimination to any mxn matrix without changing the kernel). 

- V (the public key of a prover) is generated from a random permutation it and a random vector of the 
kernel of A (which serve as his secret key) in such a way that A.V^ = 0. 

To convince a verifier of his identity, a prover gives him evidence of his knowledge of a solution 7t to the 
(p,A,V) instance by using a zero-knowledge protocol. The detail of this protocol, which is the main subject 
of [1], is outside the scope of this paper, since we are merely interested in the computational difficulty for 
an attacker of solving the (p,A,V) instance. 

3. A time-memory trade-off for the PKP problem 

Let (p, A, V) be an instance of the PKP problem generated as explained in Section 2. We are trying to find 
a permutation ji such that A.Vjj = 0. 

Using the notations introduced in Section 2, we can rewrite A.V- = 0 as : 
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fvji<in 



a 'l,l • • ■ a l,n-m 



. a 'm,l ■ • ■ a m,n-m 



Ivjt(n) J 



We denote by (1) to (m) the relations provided by the rows 1 to m of the above matrix. 



Note : in the sequel we are sometimes using the notation A=(ajp j_[ , 



instead of the above 



'reduced' notation A=[A'J]; A'=(a'ij) i=i..m;j=l..n-m 10 denote the elements of the A matrix. 

We first try to solve the equations (1) to (k), where k is a parameter of our algorithm (0<k<m). Because of 

the structure of the A matrix, these k relations involve only the n-m+k unknown values 
v j:(1> V 7T(n-m+k) • 

We introduce an additional parameter k' (such that 0<k'<n-m+k), which determines the amount of storage 
to be performed in the precomputation phase. 

There are two main steps in the proposed searching method : 

Stepl : precomputation 

n! 

For each of the ( n — pj7 possible values for the 0^(1) v Jt(k') ) k'-uple, we calculate the corresponding 

contributions : 

k' 




j=l 



k' 




to the relations (1) to (k). 



We store these values and the obtained results bj b^ in such a way that for each of the p^ possible 

(bj, ..^b^) values, the list of the corresponding (Vj^i). v it(k')) k'-uples can be accessed in very few 

elementary operations. 
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The cost of this precomputation step is matrix-vector products. The storage required is about ^£ 

k'-uples. The average number of k'-uples corresponding to a (bj \) value is "J;:. p" k . 

We also introduce the convention that k'=0 means : no precomputation. 



Step 2 : exhaustive trial 

n 1 

We perform an exhaustive trial of the ^ m+fc . k ^ possible values for the (V^'+i), -. V 7t{n-m+k)) vector - 
For each tried value, we calculate the corresponding contributions to the relations (1) to (k) : 



n-m+k 

j=k'+l 
n-m+k 

° k= X ak o V7tG) - 

j=k'+l 

We can now use die precomputations of Step 1 to obtain a list of possible (V^i) V 7t(k')) k '- u P les - As a 

matter of fact, the relations (1) to (k) can be rewritten : 

bi+C] = 0; 
b k +c k = 0. 

so that the (V^j) V ;t(k')) k '~ u P le does necessary belong to the list of possible k'-uples for the 

(-Cl,...,-ci c ) value of (b|,...,b k ). 

For each tried (V K(k . +1) V Jt(n . m+k) ) vector, we obtain in average p- k (V^i) V^) 

values. Some of them have to be discarded because some values of [V R (^, V^')) are already 
contained in {V nQ ., + l) V„ (n . m+k) ). 

For each remaining (y n (\y V rt ( n . m+lt p vector, the still unsolved relations (k+1) to (m) provide 
successively one single possible value for the numbers Vjj^^+^jj to V n ( n ) 
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At each stage of this process of extending a (V n (]), .... V TC ( n _ m+k p candidate to a (V n (i). •- V Tt(n)) 
solution, it has to be checked that the obtained values are non repeating and belong to the (Vj, V n } set. 
This can be done in very few elementary operations. 

The procedure described above finds all the existing solutions (i.e. the secret vector (V^i), V-xfa)) and 
the other solutions if there are some). The required memory for this step is negligible. The required time is 
about Sup ( ^-^7 <-Jj7 , ^-J^) matrix vector products. 

In Summary, we have shown that for each (k,k') pair (0<k<m; 0<k'<n-m+k) an instance (p,A,V) of the PKP 
problem can be solved in time : 

(Sfe + Sup( (m+k'-k)! (ni)! P " k ' (m + k'-k)! } matrix-vector products (i) 
(cf note below) 

and space : 
n! 

7 — ttt k'-vectors (ii). 
(n-k)! 

Note : all the matrix vector products considered here involve a submatrix of A. Therefore, the cost of each 
such product can be reduced to very few elementary operations (mod p additions and accesses to arrays), 
at the expense of a marginal increase of the required space, by precomputing all the linear combinations 
modulo p of some subsets of the rows in A. 

Discussion on the values of k and k' 

n 1 

The value k=0 corresponds to an exhaustive trial of all the — '- possible (V^-q V 7t(n-m)) va l ues - The 

n' 

space cost is negligible and the time cost is about ^ . For larger values of k, precomputations on the k 

first equations may lead to an improved time cost, at the expense of increasing the required storage. Too 
large values of k are suboptimal, because the set of n-m+k variables involved in the equations (1) to (k) 
increases too much. 

For a fixed value of k, the required amount of storage is an increasing function of k'; the time required is a 

n 1 v 

decreasing function of k' as long as k' < (n-m+k)/2 and , ' , < p k (the first condition says that the time 

spent on the precomputation should not exceed the time spent on step 2; the second condition says that the 
average number of k'-uples corresponding to a (bj, ...,b^) value should be less than 1). Too large values of 
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k' (such lhat the two above conditions are not realised) are suboptimal, because they lead to an increased 
memory cost without reducing the lime cost. 

4. Impact on the practical security of the PKP scheme 

Table 1 gives the time and memory costs, calculated in using (i) and (ii), when n=32; m=16; p=251. Only 
the k values in the [0..9] interval and the k' values in the [0..15] interval have been considered. The value 
k=0 leads to a time cost of about 2 73 , which is very close to the complexity of the best attack 
mentioned in [1]. The most interesting values are obtained for k=5; k'=8 (time 

:2 60 

matrix vector 

products; memory 2^ k'-uples) and k=6; k'=10 (time 2^; memory 2^). 

The obtained complexity values are considerable, but the two above trade-offs cannot be regarded as 
strictly computationally infeasible, as it was the case for the attack mentioned in [1]. Therefore, the 
parameter values n=32; m=16; p=251 are not recommended for very secure applications. 

Table 2 gives the time and memory costs corresponding to the parameter values n=64; m=37; p=251 for 
some of the k and k' parameter values. Some of the obtained time costs are substantially lower than the 
2*84 complexity of the best attack mentioned in [1]. For example, for k=8 and k'=ll, the obtained time 
cost is 2^7 matrix vector products, and the required storage is 2^ k'-uples. However, due to the very 
large values of the obtained time costs, the attacks summarised in Table 2 are computationally infeasible. 



5. Concluding remarks 

Independently of our work, the security of the PKP problem has also been investigated by J. Georgiades 
and the results are summarized in [2], His method, which is based on the resolution of quadratic equations, 
is less efficient in time cost than the one described in this paper, but requires a negligible amount of storage 
to solve the PKP problem. We do not know whether both approaches can be combined efficiently. 
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Table 1 : base 2 log of time cost t and space cost s when n=32 ; m= 16; p=2 5 1 
{example : for k=6 and k'=10, t=2**56 and 3=2**47) 
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(example : for k=8 and k'=ll , t-2**137 and s=2**64) 



Massively Parallel Computation of 
Discrete Logarithms * 

Daniel M. Gordon^ 
Kevin S. McCurley* 



Abstract 

Numerous cryptosystems have been designed to be secure under the assumption 
that the computation of discrete logarithms is infeasible. This paper reports on an 
aggressive attempt to discover the size of fields of characteristic two for which the 
computation of discrete logarithms is feasible. We discover several things that were 
previously overlooked in the implementation of Coppersmith's algorithm, some posi- 
tive, and some negative. As a result of this work we have shown that fields as large as 
GF(2 503 ) can definitely be attacked. 

Keywords: Discrete Logarithms, Cryptography. 
1 Introduction 

The difficulty of computing discrete logarithms was first proposed as the basis of security 
for cryptographic algorithms in the seminal paper of Diffie and Hellman [4]. The discrete 
logarithm problem in a finite group is the following: given group elements g and a, find 
an integer x such that g x = a. We shall write x = log^a, keeping in mind that log g a 
is only determined modulo the multiplicative order of g. For general information on the 
discrete logarithm problem and its cryptographic applications, the reader may consult [9] 
and [11]. In this paper we shall report on some computations done for calculating discrete 
logarithms in the multiplicative group of a finite field GF(2"), and the lessons we learned 
from the computations. The computations that we carried out used a massively parallel 
implementation of Coppersmith's algorithm [2], combined with a new method of smoothness 
testing. Coppersmith's algorithm will be described in section 2. and our new method of 
smoothness testing will be described in section 2.2. The results of our calculations will be 
presented in section 3. 

A great deal of effort (and CPU time!) has been expended on the cryptographically rele- 
vant problem of factoring integers, but comparatively little effort has gone into implementing 
discrete logarithm algorithms. The only published reports on computations of discrete log- 
arithms in GF(2") are in [1] and [2, 3]. Both papers report on the calculation of discrete 
logarithms in the field GF(2 127 ). 

Odlyzko [11] has carried out an extensive analysis on Coppersmith's algorithm and pro- 
jected the number of 32-bit operations required to deal with a field of a given size. A similar 
analysis was made by van Oorschot [13]. Many of their predictions are consistent with our 
experience, but there were some surprising discoveries that show their analysis to be quite 
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optimistic. We were able to complete most of the computation to compute discrete loga- 
rithms for fields of size up to GF(2 503 ), and can probably go at least a little bit further with 
our existing machines. The major limitation at this point seems to lie as much in the linear 
algebra as the equation generation, due to the large amount of computation time and storage 
needed to process equations for a large factor base. 

Analyses of the type made by van Oorschot and Oldyzko can be extremely useful to chart 
the increase in difficulty of computing discrete logarithms as the field size increases. It is 
however almost impossible to get exact operation counts to within anything better than an 
order of magnitude using such an analysis. Among the reasons for this are: 

• if a high-level language is used, then compilers vary widely in their ability to efficiently 
translate the code into machine instructions. 

• even counting 32-bit operations is not enough, since the number of clock cycles may 
vary widely. On the nCUBE-2 that was used for most of our computation, 32-bit 
integer instructions take between 2 and 38 machine cycles. 

• data cache misses can cost many operations (as many as 10 cycles on the Intel i860). 

For these and other reasons, it is impossible to get very accurate estimates from analytic 
methods alone. The only reliable method is to actually implement the algorithms with 
careful attention to details, and measure the running time. 

In the course of this work, we used a variety of machines for the computations. The 
parallel machines were all MIMD (multiple instruction, multiple data), and included 

• a 1024 processor nCUBE-2, with four megabytes per processor, 

• a 64 processor Intel iPSC/860, with 3-32 megabytes per processor. 

• the 512-processor Intel Touchstone Delta, with 16 megabytes per processor. 

We started out with the intention of using a Thinking Machines CM-2, but for technical 
reasons associated with the SIMD hardware and the system software, we found this to be 
uncompetitive. It also had the disadvantage that it required using a language specific to the 
machine, whereas the other machines could all accept standard C, with a few minor changes 
to accomodate differences in message passing syntax. 

2 Coppersmith's algorithm 

Coppersmith's algorithm belongs to a class of algorithms that are usually referred to 
as index calculus methods, and has three stages. In the first stage, we collect a system 
of linear equations (called relations) that are satisfied by the discrete logarithms of certain 
group elements belonging to a set called a factor base. In our case, the equations are really 
congruences modulo the order of the group, or modulo 2" — 1 . In the second stage, we 
solve the set of equations to determine the discrete logarithms of the elements of our factor 
base. In the third stage, we compute any desired logarithm from our precomputed library 
of logarithms for the factor base. 

For the Coppersmith algorithm, it is convenient that we construct our finite field GF(2 n ) 
as GF(2)[x]/(/(x)), where / is an irreducible polynomial of the form x n + fi(x), with /, of 
small degree. Heuristic arguments suggest that this should be possible, and a search that 
we made confirms this, since it is possible to find an /i of degree at most 11 for all n up 
to 600, and it it is usually possible to find one of degree at most 7. For the construction of 
fields, it is also convenient to choose / so that the element x (mod f(x)) is primitive, i.e. of 
multiplicative order 2" — 1 . As we shall explain later, there are other factors to be considered 
in the choice of f l . 
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For a given polynomial / that describes the field, there is an obvious projection from 
elements of the field to the set of polynomials over GF(2) of degree at most n. In our case, 
we shall take as our factor base the set of field elements that correspond to the irreducible 
polynomials of degree at most B for some integer B to be determined later. Call a polynomial 
B— smooth if all its irreducible factors have degrees not exceeding B. Let m be the cardinality 
of the factor base, and write g,- for an element of the factor base. We note that an equation 
of the form 

m 

n<7f =x l (mod /(*)) 
1=1 

implies a linear relationship of the form 

m 

£>, lo gl <7, = i (mod 2 B -1). 
i=i 

In order to describe the first stage in the Coppersmith method, we shall require further 
notation. Let r be an integer, and define h = [n2~ r J + 1. To generate a relation, we first 
choose random relatively prime polynomials ui(x) and ui(x) of degrees at most di and d 2 , 
respectively. We then set w x {x) — u i (x)x !i + u 2 (x) and 

w 2 (x) = w^xf* (mod f(x)). (1) 

It follows from our special choice of f(x) that we can take 

w 2 (x) = Ul (x r )x hr - n Mx) + u 2 (x r ). (2) 

so that deg(u> 2 ) < max(2 r <i] + h2 T — n + deg(/j),2 r <f 2 ). If we choose d lf d 2 , and T to be of 
order n 1 ' 3 , then the degrees of w\ and vo 2 will be of order n 2/3 . If they behave as random 
polynomials of that degree (as we might expect), then there is a good chance that they will 
be 5-smooth. If so, then from (1) we obtain a linear equation involving the logarithms of 
polynomials of degree < B. 

An asymptotic analysis of the algorithm suggests that it is possible to choose the param- 
eters so that the asymptotic running time of the first stage of the algorithm is of the form 
in such a way that the expected running time to complete stage one is of the form 

exp((c 2 + o(l))n !/3 log 2/3 n), where c 2 < 1.405. 

The system of equations generated by the first phase is relatively sparse, and there exist 
algorithms to solve the system that have an asymptotic running time of 0(m 2+< ) (see sec- 
tion 2.4). If such algorithms are used, then the asymptotic running time of the algorithm 
turns out to be the same as the first phase. 

An analysis of the running time for the third stage (which we do not describe in detail 
here) suggest a running time of 

exp((c 3 + o(l))n 1 ' 3 log 2/3 n), 

where c 3 < 1.098, so it takes less time than the first two stages. 

The preceding statements pertain to the asymptotic running time, but give only a rough 
estimate of the time required in practice for actual cases. 

2.1 Refinements of Stage 1. 

Odlyzko has suggested several ways to speed up the performance of stage 1. None of these 
affect the asymptotic running time, but each of them may have some practical significance 
by speeding up the implementation by a factor of two or three. We shall not discuss these 
methods in great detail, but merely report on some of them. 
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Forcing a Factor Into and w 2 One method that was suggested by Odlyzko for 
improving the probability that w x and u> 2 were smooth was by forcing them to contain at 
least one small degree factor. The method is described in complete detail in [11] and [13], 
but roughly speaking we fix polynomials vi and v 2 of degree at most B, and consider those 
(ui,U2) pairs for which vj\ and w 2 are divisible by v\ and v? respectively. The (ui,uj) pairs 
with this property are described by a rather small set of linear equations modulo 2, and we 
can easily find such pairs by Gaussian elimination. For the size fields that we considered, 
the linear systems had fewer than 50 rows and equations, and a special purpose routine to 
solve these systems proved to be extremely efficient (rows could be added together by using 
two xor operations on 32-bit integers). One problem with this method is different vi, v 2 pairs 
can lead to the same u t , u 2 pairs, making it rather difficult to avoid duplication of effort. As 
far as we can tell, we were the first to implement this method, and our experience with it 
seemed to agree with the predictions made by Odlyzko. 

Large Prime Variation One well known method for speeding up the generation of equa- 
tions is to also use equations that involve one irreducible polynomial of degree only slightly 
larger than B. The rationale for this is that these equations can be discovered essentially for 
free, and two such equations involving the same "large prime" can be combined to produce 
an equation involving only the irreducibles of degree at most B. Many such equations can 
be discovered by checking whether after removing the smooth part from a polynomial, the 
residual factor has small degree. After combining two such equations, the equations pro- 
duced are on average twice as dense as the other equations, so they complicate the linear 
algebra in stage 2. Many of these equations can however be generated more or less for free, 
so we chose to use them in the calculations. 

Double Large Prime Variation Just as we can use equations involving only a single ir- 
reducible of degree slightly larger than B. we can also use equations having two "large prime'' 
factors. This has been used to speed up the quadratic sieve integer factoring algorithm [8], 
and we might expect the same sort of benefit when it is applied to the Coppersmith algo- 
rithm. Many such equations can be produced from reporting those u x , u 2 pairs that produced 
a ii>i and w 2 both of which contained a large prime factor. 

Smoothness Testing The most time-consuming part of the Coppersmith algorithm is 
the testing of polynomials for smoothness. At least two methods have been suggested for 
doing this, both of which are outlined in [11]. Of the two methods, we found the one used 
by Coppersmith to work faster for our implementation, and this was initially what we used. 
For this method, a polynomial w(x) is tested for m-smoothness by computing 

m 

w'(x) [| (x 2 ' + x) (mod w(x)). (3) 

A faster method, using a polynomial sieve, will be outlined in Section 2.2. 

Early Abort Strategy One strategy that has been suggested for locating smooth integers 
is to search through random integers, initially dividing by small primes. At a certain point, 
we then check to see if the residual factor has moderate size, and abort the testing if it fails. 
It so happens that a random integer is more likely to be i?-smooth from having many very- 
small prime factors than it is from having just a few factors near B, and it follows that we 
should not spend a lot of time dividing by moderately large primes to test for smoothness. 
This strategy has come to be known as the ''early abort" strategy, and the same heuristic 
reasoning carries over to the smoothness testing part of Coppersmith's algorithm. Odlyzko 
predicted that this may result in a speedup of a factor of two in the algorithm, but we 
never got around to implementing it. The major reason for this is that there seems to be 
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no obvious way to combine this idea with sieving, and the latter gave a somewhat better 
speedup. 

2.2 A Polynomial Sieve 

Our first implementation of Coppersmith's algorithm used methods suggested previously 
by Odlyzko and Coppersmith to test polynomials for smoothness. After having carried out 
the computation for the case n = 313, we looked around for any variations that would speed 
tip the smoothness testing. Drawing on the knowledge that sieving can be exploited to 
great advantage in integer factoring algorithms, we sought a way to use sieving to test many 
polynomials simultaneously for smoothness. Sieving over the integers is relatively efficient 
due to the fact that integers that belong to a fixed residue class modulo a prime lie a fixed 
distance apart, and it is very easy to increment a counter by this quantity and perform a 
calculation on some memory location corresponding to the set element. 

For polynomials, the problem is slightly different, since we saw no obvious way of repre- 
senting polynomials in such a way that representatives of a given residue class are a fixed 
distance apart. It turns out that this is not a great deterrent, since what is important is 
the ability to quickly move through the representatives, and for the data structures that we 
used, this can be done using the notion of a Gray code. 

Polynomials over GF(2) of degree less than d can be thought of as the vertices of a d- 
dimensional hypercube, with the coefficient of x' in a polynomial corresponding to the ith 
coordinate of a vertex. A Gray code gives a natural way to efficiently step through all such 
polynomials. The same applies to all polynomials that are divisible by a fixed polynomial g. 

Let G\. G 2 , . . . , G 2 <i be the standard binary reflected Gray code of dimension d. For any 
positive integer x, let l(x) be the low-order bit of x. i.e. the integer i such that 2' || x. Then 
we have (see, for example, [10]): 

Proposition 1. The bit that differs in G x and G x ^ l is l(x). 

This allows us to efficiently step through the Gray code. Let s[0], . . . , s[2' — 1] be 8- bit 
memory locations corresponding to the u 2 of degree less than t in the obvious way (mapping 
u 2 (x) to 11-2(2)). Figure 1 describes an algorithm which takes u x , and finds all u 2 of degree 
less than t such that w 1 = u l x h + u 2 is 5-smooth. 

Note that the inner loop consists of only two 32-bit operations, a shift to multiply g by 
x\ and an exclusive-or to add gx' to u 2 , and one 8-bit add. 

The actual implementation has a few additions. It checks for large primes, by reporting 
any pair for which .s[ti 2 ] > (degree(u>i ) + h - LP), where LP is the maximum degree of a large 
prime. A sieve by powers of irreducibles up to degree B is also done. Instead of calculating 
U\X h mod g each time to start sieving, x h mod g is saved for each g. Then to step from one 
uy to another, we only have to add a shift of x k mod g to the starting sieve location. 

A sieve over polynomials w 2 would work similarly: the main difference is that initializing 
u 2 requires taking a fourth root, which slows things down. It turned out to be more efficient 
to test smoothness of each ir 2 corresponding to a smooth Wi individually, since only a small 
number of pairs U!,u 2 survive the w\ sieve (tx>i has much higher degree than w 2 )- 

One reason that sieving works so well for the quadratic sieve algorithm is that it replaces 
multiple precision integer calculations with simple addition operations. We gain the same 
sort of advantage in Coppersmith's algorithm, by eliminating the need for many modular 
multiplications involving polynomials. The actual operation counts for sieving come out 
rather close to the operation counts given in [11] and [13], but in the case of sieving the 
operations are somewhat simpler, and the speedup is substantial. 

The number of 32-bit operations to sieve a range of uj,u 2 pairs is proportional to log B 
times the size of the range. This is because there are about 2 d /d irreducible polynomials of 
degree d, so the number of steps to sieve a range of I pairs is: 
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for i = 0 to 2' - 1 

s[i] *— 0 /* initialize sieve locations */ 

for d = 1 to B 

dim <— max(t — d, 0) /* dimension of Gray code */ 

for each irreducible g of degree d 

u 2 <— uix' 1 mod g 

if degree(uj) < * then 

for t = 1 to 2 dim 

s[u 2 ] <— s[u 2 ] + d 

u 2 *— u 2 + gx'^ I' u 2 = u x x h mod g + gG: */ 

for i = 0 to 2' - 1 

if > (degree^) + h — B) then print u^,u 2 



Figure 1: Pseudocode for sieve algorithm 



B / , \ B I , \ .yd 9B + I 

5 irreducible 

where c represents the startup time for each irreducible. Each of these steps uses a fixed 
number of 32-bit operations (typically between 2 and 12, depending on the machine, compiler, 
and source code used). If I is sufficiently large, then the c operations performed for each 
irreducible become inconsequential. The time spent on finding the initial locations for sieving 
by each polynomial in the factor base can be made inconsequential by amortizing it over 
several sieving runs. 

In comparison, the number of 32-bit operations needed to test a polynomial for smooth- 
ness using Coppersmith's method is at least 3Bh ? /3'2 (see [13]). where h = \n2~ r \ -f 1 is the 
approximate degree of u^. As n (and therefore B and h as well) become large, the advantage 
of using a polynomial sieve becomes overwhelming. 

Note that the memory access patterns for the array s[-\ in the sieving algorithm are 
somewhat chaotic, since the indices of consecutive values for u 2 are widely and irregularly 
dispersed. For processors such as the Intel i860 whose performance is heavily dependent on 
using memory caches, this severely limits the performance improvement gained from sieving. 
By contrast, the nCUBE processor is not so dependent on memory access patterns, and the 
improvement from sieving was more pronounced. 



2.3 The choice of /j 

Once we were quite sure that our sieving code was giving completely reliable results, we 
were unpleasantly surprised that the number of relations discovered was not in agreement 
with the heuristic arguments given in [11] and [13], but was instead considerably smaller. 
This led us to reconsider the arguments there, in an attempt to produce more accurate 
predictions on the number of equations produced by examining a certain range of u\ and u 2 . 

The assumption made in both [11] and [13] that and w 2 are smooth as often as 
a random polynomial of the same degree is not quite accurate. We shall provide several 
justifications for this statement, based on heuristic arguments showing ways that uj 1 and w 2 
(particularly iv 2 ) deviate from behaviour of random polynomials. We have been unable to 
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combine all of the effects we know of into an analytical method for accurately predicting 
these probabilities. Luckily, it is relatively simple to make random trials to estimate the 
actual probabilities. 

For the cases that we shall be most interested in, iv 2 has the form 

x T u l (xyj 1 (x) + u 2 (x) 4 (4) 

where T = ih — n is 1 or 3, and gcd(ui,u 2 ) = 1. In the following discussion, g will be an 
irreducible polynomial of degree d. 

First, note that if g j Uj, then gj(u 2 , and therefore gjfwi and g^w 2 . Hence if g | uji or 
g | u>2, then g/u^. It follows that if jf g c \ w 2 for some integer e, then 

x r /,(x) = (u?n 3 )* (mod g<). (5) 

Note that if e > 2 and de > (T 4 deg^)), then (5) is clearly impossible, since the right 
side reduces to a polynomial with only even exponents modulo g 2 , whereas the left side will 
have odd powers since T is odd and /i(0) = 1. Hence if d > (T + deg{f 1 ))/'2, it follows that 
g 7 cannot divide w 2 . This shows that w 2 is much more likely to be squarefree than a random 
polynomial, and therefore somewhat less likely to be smooth. 

Another example of nonrandom behaviour from w 2 can be seen from examining the 
expected value of the degree of the power of an irreducible that divides io 2 , compared to the 
expected power that divides a random polynomial. One can easily show that in some sense, 
a truly random polynomial will be divisible by an irreducible factor g to the e'th power 
with probability l/2 d ', and will be exactly divisible by the e'th power with probability 
(2 d — l)/2 rf ' £+1 *. Hence the expected value of the degree of the power of g that divides a 
random polynomial is d/(2 d — 1). 



h 


factorization 


probability 


I 8 4- I 5 4 I 4 -f x 2 4 x 4 1 


(I + x) 2 (l + X + x 3 + x 4 + X 6 ) 


0.002468 


x 8 + x 7 + x b + x 2 4 x + 1 


(1 +X)(1 +2 2 + x 3 + X 4 +X T ) 


0.002366 


x 9 4- X s + i 5 + 1 


(I4x)"(l + x + ^)(l4-x + x 3 ) 


0.002607 


x m + x 1 + x 6 + x' 6 + x 2 + 1 


(l + x^U 4 x 3 + x 5 4 x s + x 8 ) 


0.001956 


x 10 + x 9 + x s 4- x 2 + x + 1 


(1+x) 8 (14x4x 2 ) 


0.0023S3 



Table 1: Empirical probabilities that a (u u u 2 ) pair will produce a smooth w 2) for n = 593 
and different choices of /i. Tests based on examination of over five million random relatively 
prime pairs (ui,u 2 ) of degrees 22 and 24, respectively. 

The expected contribution to a polynomial w 2 is somewhat different. For the case where 
g/x T fj(x), an easy counting argument on residue classes modulo g shows that the probability 
that g divides w 2 is (2 rf - l)/(2 2d - 1) = l/(2 d 41), so that the expected degree of the power of 
g dividing w 2 is d/(2 d 41), somewhat smaller than for a random polynomial. If g' \ x T 'fi(x) 
for some integer e < 4, then g e is automatically guaranteed to divide w 2 whenever g \ u 2 . If 
e is large for a small degree g, then this helps u> 2 to be smooth, but if e = 1, then it makes 
u>2 less likely to be smooth. 

A complete analysis of this situation is probably not worth the effort. In this paper, it 
suffices to illustrate the effects by considering the example of n = 593. The only fa's of 
degree up to 10 for which z 583 + f x is irreducible are in Table 1. Clearly the first two /, 's in 
the table have an advantage from having the smallest degrees, but the third and fifth have 
an advantage from the large power of 1 4 x that divides them. The tradeoffs between these 
effects are not at all clear, but the results of the experiments show that the third /, gives 
a slight advantage, in spite of its larger degree. For the case of n = 503, it turned out that 
/i =l 3 + l was the best choice. 
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2.4 Linear Algebra 

The solution of sparse linear systems over finite fields have received much less attention 
than the corresponding problem of solving sparse linear systems over the field of real numbers. 
The fundamental difference between these two problems is that issues involving numerical 
stability problems arising from finite precision arithmetic do not arise when working over a 
finite field. The only pivoting that is required is to avoid division by zero. Algorithms for 
the solution of sparse linear systems over finite fields include: 

• standard Gaussian elimination. 

• structured Gaussian elimination. 

• Wiedemann's algorithm. 



n 


sparse matrix 


dense matrix 


reduction 


equations 


unknowns 


nonzeros 


size 


nonzeros 


313 


108736 


58636 


1615469 


9195 


633987 


84% 


401 


117164 


58636 


2068707 


16139 


1203414 


72% 


503 


434197 


210871 


10828595 


78394 


6394049 


63% 



Table 2: Results of structured Gaussian elimination for various n. 



• Conjugate Gradient. 

• Lanczos methods. 

A description of these methods can be found in the paper by LaMacchia and Odlyzko [7], 
where they describe their experience in solving systems that arise from integer factoring algo- 
rithms and the computation of discrete logarithms over fields GF(p) for a prime p. We chose 
to implement three of these algorithms: conjugate gradient, Wiedemann, and structured 
Gaussian elimination. For handling multiple precision integers we used the Lenstra-Manasse 
package. The original systems were reduced in size using the structured Gaussian elimina- 
tion algorithm, after which the conjugate gradient or Wiedemann algorithm was applied to 
solve the smaller (and still fairly sparse) system. 

This approach was used by LaMacchia and Odlyzko in [7] with great success. The 
structured Gaussian elimination reduced their systems by as much as 95%, leaving a small 
system that could easily be solved on a single processor. We were not as successful, due to 
a feature of the equations that Coppersmith's method produces. For the equations in [7], 
almost all the coefficients are ±1, and so during the Gaussian elimination most operations 
involve adding or subtracting one row from another. For our systems, half of the coefficients 
are multiples of 4, and so it is often necessary to multiply a row by ±4 before adding it to 
another. This caused the coefficients in the dense part of the matrix to grow rapidly. 

This presented a dilemma. If the matrix coefficients are allowed to become large integers, 
then the arithmetic operations take considerably more time (and require considerable more 
complicated code). The alternative is to restrict which rows can be added to others, to keep 
the coefficients down to 32 bits. This results in a larger matrix, which also slows down stage 
2. We elected to deal with the larger matrices. Table 2 gives results for partial gaussian 
elimination on several systems. 

For the 127, 227, and 313 systems, we were able to solve the systems on a workstation (the 
last one took approximately ten days). The other systems were clearly too large to be solved 
on a single processor workstation, and the algorithm requires too much communication to 
effectively run on a network of workstations. We therefore wrote a parallel version (MIMD) 
of the conjugate gradient code. A single source program was written in C that would compile 
for Suns, the Intel iPSC/S60, the Intel Delta Touchstone, and the nCUBE-2. 
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Parallelization of the algorithm was accomplished by distributing the matrix rows and 
columns across the processors. A matrix-vector multiply is then done by multiplying the 
rows held by the processor times the entire vector. After this operation, each processor 
communicates to every other processor (in a logarithmic manner) its contribution to the 
vector result. The distribution of the matrix rows was done by simply assigning the same 
number of rows to each processor. The structure of the matrix is such that each processor 
then gets essentially the same number of nonzero entries. For the distribution of the columns, 
this is certainly not the case, as the first few columns contain far more nonzeros than the 
last few columns. The columns of the matrix were then permuted in order to approximately 
balance the number of nonzeros assigned to each processor, and some processors ended up 
getting far more columns. This creates a slight imbalance in the communication phase, but 
is better than an imbalance in the computation phase. 

Unfortunately, this approach suffered from a severe problem when scaled to a large num- 
ber of processors, since the first column of the reduced 503 matrix contained 61166 nonzero 
entries, but a perfect load balance on 1024 processors would place 6394049/1024 « 6244 
nonzeros on each processor. Proper load balancing of the matrix multiplication would there- 
fore have required that we divide columns between processors, and we were reluctant to 
modify the code for this due to the added complexity. 

Instead, we chose to implement the Wiedemann method. This had the advantage that it 
required only multiplications of the coefficient matrix times a vector, not the multiplication 
of the transpose of the matrix. Once again, however, we discovered that there were scaling 
problems in moving to a large number of processors, since the amount of communication 
required for sharing results at the end of the distributed matrix- vector multiply increased at 
least with the logarithm of the number of processors, whereas the amount of computation 
decreases linearly with the number of processors. Hence when this code was run on 1024 
processors of the nCUBE, it ran only slightly faster than it would run on 512 processors. 
For more dense matrices, the speedup would be larger, but so would the total runtime. This 
problem was even worse on the 512 processor Delta, where the bisection bandwidth of the 
machine is about 16% of that of the nCUBE, but the peak processor speed is about 10 times 
faster. 

The communication that we used in each matrix- vector multiplication is often called 
an all-to-all broadcast, or global concatenation. For machines such as the nCUBE-2 and 
iPSC/860 that use a hypercube topology for their communications network, there is a fairly 
obvious algorithm for accomplishing the all-to-all broadcast in log(p) phases on p processors, 
passing a minimal amount of information, with no contention for communication channels. 
The Intel Delta Touchstone uses instead a 16 x 32 two-dimensional mesh topology. When we 
first ported the code from the iPSC/860 to the Delta, we were using an Intel-supplied library- 
routine for the communication, but we found that the performance of the Intel routine was 
far from optimal on the Delta, and the result was that the Delta showed almost no speedup 
in moving to more processors. Subsequent to this, the second author worked with David 
Greenberg to develop code and algorithms that improved the performance of the all-to-all 
broadcast library routine (gcolxQ) by a factor of 21. This work is reported in [5]. 

The Wiedemann algorithm requires the use of the Berlekamp-Massey algorithm for com- 
puting the minimal polynomial of the matrix. In contrast to the matrix-vector multiplica- 
tions, this turned out to be quite easy to parallelize, since the core operations required are 
polynomial additions that are easily parallelized. The only difficulty arises from the fact that 
the degree steadily increases through the computation, requiring continual load balancing- 
Eventually the degree of the polynomials becomes large enough that this communication 
becomes insignificant, and all communication is between nearest-neighbor processors in the 
network topology, giving very good scalability to large parallel machines. In practice, the 
Berlekamp-Massey algorithm turned out to consume much less time than the matrix- vector 
multiplications. 
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To summarize, after we had invested a substantial amount of time in writing code for the 
various algorithms, we became aware that communication would be a severely limiting factor 
in the use of distributed memory parallel machines for solving the linear systems. Since then 
we have learned of other methods [6], [12] that might dramatically improve the performance. 
We believe that there remains substantial room for improvement in this area, using these 
and other ideas. 

3 Results 

We have completed the precomputation step required to compute discrete logarithms for 
the fields GF(2") for n = 227, n = 313, and n = 401. Once this step has been completed, 
individual logarithms can be found comparatively easily. We have not bothered to implement 
the third phase yet, as we expect the running time for this to be substantially less than the 
first two phases. 

The code for producing equations has gone through many revisions and removal of bugs. 
As a result, we ended up using much more computer time for producing the equations for 
401 and 503 than would be required with our current version of the code. Moreover, most 
of our computations were carried out on the nCUBE-2, which has no queueing of jobs, and 
no priority system. We therefore wrote our own queueing system, and wrote some code 
for other users to kill our jobs. This extremely crude approach allowed us to aggressively 
consume computer time while at the same time allow other users to carry on their normal 
development activities. The unfortunate result is that many ranges of «i , uj pairs were only 
partially completed before they were killed, so that very accurate statistics on the completed 
ranges are difficult to keep. After running the code for 503 for several months, we decided to 
go back and redo 401 with more care, to keep more accurate records and make an accurate 
measurement of the amount of calculation required. 

For the case of GF(2 WI ), we chose to search through all Ui of degree up to 20, and all u 2 
of degree up to 22. The nCUBE-2 was able to process approximately 1.5 x 10 8 «j,«2 pairs 
per hour on a single processor. Using the full 1024, processors of our nCUBE-2, we could 
therefore carry out this calculation in approximately 111 hours, or just under 5 days. For 
comparison, a Sparcstation 2 is able to process approximately 6 x 10* ui,tij pairs per hour, 
so a single Sun workstation would take approximately 19,000 days (or more realistically, 500 
workstations would take just over a month). 

Searching this range of Uj,t/ 2 pairs produced a total of 117,164 equations from a factor 
base of 58,636 polynomials (all irreducibles of degree up to 19). It also produced approxi- 
mately 700,000 equations each of which involved only one "large prime" polynomial of degree 
20 or 21, which we ended up ignoring due to previously mentioned difficulties with solving 
the linear system. Clearly there is a tradeoff to be made between producing more equations 
with a longer sieving phase, or spending more time on solving a harder system of equations. 
Since the sieving can be carried out in a trivially parallel manner, we opted to spend more 
time on this rather than claim the whole machine for a long dedicated period to solve a 
larger system of equations. 

For the case of n = 503, we attempted to search all tij of degree up to 22 and all u 2 
of degree up to 25 (again, some of this range was missed by killed jobs, but the percentage 
should be small). This range produced 165,260 equations over the factor base of 210,871 
polynomials of degree up to 21. Combining pairs of equations involving a single irreducible 
of degree 22 or 23 brought the total up to 361,246 equations. We estimate that repeating 
this calculation would take approximately 44 days on the full 1024- processor nCUBE. In 
practice it took us several months due to the fact that we were trying to use idle time, and 
we never used the full machine. We later extended this calculation to produce a total of 
434,197 equations, by running over some ui polynomials of degree 23. 

The parallel conjugate-gradient code was able to solve the system of equations for re = 313 
in 8.3 hours on 16 processors of a 64- processor Intel iPSC/860. The equations for n = 401 
took approximately 33 hours on 32 processors. 
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Note that 2 503 - 1 factors as 

2 503 - 1 = 3213684984979279 • 12158987054135300783 
■1373030665061080894263 ■ p 4 
= P\ • pi • P3 ■ P4, 

where p 4 is a prime of 96 decimal digits. Solution of the system modulo 2 503 — 1 can thus be 
accomplished by solving four separate systems modulo these prime factors, and combined 
afterwards using the Chinese remainder theorem. The only truly hard part is solving the 
system modulo p 4 , since the individual operations are much slower and the amount of data 
to be communicated is also larger. v 

Our original projections for the solution of the 503 equations were too optimistic, since we 
underestimated the cost of communication. We have still not completed the solution of the 
503 equations, but have now at least made timings of individual iterations to estimate the 
amount of time required. Timings that we have made on the Delta Touchstone and nCUBE- 
2 show that solution of the system modulo p 1 using the Wiedemann algorithm would take 
approximately 106 hours on 256 processors of the nCUBE for the matrix multiplications, and 
38.4 hours on 512 processors of the Delta. The Berlekamp-Massey calculation would require 
less than two hours on each of these. For the prime p 4 , we are unable to run the matrix- vector 
multiplications on the nCUBE with our current code due to memory limitations, but the time 
for matrix multiplications on the Delta is estimated at approximately 105 hours. Logistics 
have simply prevented us from reserving enough time on the machine to solve the equations 
in a single run (after all, the purpose of our project was to investigate the effectiveness of 
massively parallel computers and better algorithms, not to do real cryptanalysis). 

4 Conclusion 

We started out by repeating Coppersmith's calculation of discrete logarithms for GF(2 127 ). 
Our original goal was to determine whether it was possible to compute discrete logarithms 
for the field GF(2 593 ), which has been suggested for possible use in at least one existing 
cryptosystem. Odlyzko predicted that fields of size up to 521 should be tractable using 
the fastest computers available within a few years (exact predictions are difficult to make 
without actually carrying out an implementation), van Oorschot predicted that computing 
discrete logarithms in GF(2 401 ) should be about as difficult as factoring 100 digit numbers. 
Both predictions turned out to be reasonable. 

We believe that 521 should now be possible to complete, albeit with the consumption of 
massive amounts of computing time. Discrete logarithms in GF(2 593 ) still seem to be out 
of reach. Sandia National Laboratories is scheduled to take delivery of an Intel Paragon 
machine in July 1993 whose peak speed is approximately 50 times the speed of the nCUBE- 
2 used for this work. Massively parallel machines are expected to be built in the next five 
years that will reach peak performance levels approximately 500 times faster than the 1024 
processor nCUBE-2 that was our primary machine. Unfortunately, this peak speed will be 
harder to attain in future architectures, so the actual increase in speed for a given application 
is difficult to project. With a concerted effort on one of these faster machines, or further 
algorithmic improvements, computing discrete logarithms in GF(2 593 ) might be possible 
within the next 5-10 years. It would require a much larger factor base (we estimate at least 
the irreducibles up to degree 23, or 766150 polynomials). It would also be a computation of 
enormous proportions, and is not likely to be completed in the near future without further 
innovations. 
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Abstract. Let A r be a large odd integer. We show how to produce a 
long sequence {(A',, Y,)}?=i of integers modulo jV which satisfy Xf = 
Y, modulo A r , where A", > A' 1/2 and | V, | < cN 1 '" 2 . Our sequence 
corresponds to a Hamiltonian path on the ?t-dimensioiial hypercube C n , 
where n is ©(log A'/ log log A r ). One application of these techniques is 
that, at each vertex of the hypercube, it is possible to search for equations 
of the form U 2 ~ V modulo N with V a product of small primes. The 
search is as in the quadratic sieve algorithm and therefore very fast. This 
yields a faster way of changing polynomials in the Multiple Polynomial 
Quadratic Sieve algorithm, since moving along the hypercube turns out 
to be very cheap. 

1 Introduction 

Given a large odd integer A r , there is no known way of efficiently generating ran- 
dom congruences of the form A' 2 = Y modulo N with Y substantially smaller 
than A rl / 2 . One reason for wanting to generate such congruences is that they 
can be used to factor A'. The Continued Fraction Algorithm [2] factors N by 
generating many such congruences, choosing the ones for which Y factors over 
a small prime factor base FB, and then solving a linear system of equations in 
order to create one congruence A' 2 = Z 2 modulo AT which, if X 56 ±Z. yields a 
proper factor p = GCD(X + Z. X) of X. An important, bottleneck in the Contin- 
ued Fraction Algorithm is the cost of testing whether Y factors over F B. This is 
done by trial division for each prime in the factor base. The Quadratic Sieve Al- 
gorithm [6] considers a sequence {(X 1 ,Y l )}fL 1 of M pairs where X z — \y~X\ +i 
and Y{ = Xf — A r . Since Y; is given by an integer quadratic polynomial, it is 
easy to predict which Yi's will be divisible by a given prime p. The values of 
i which generate K, = 0 mod p lie on two arithmetic progressions a ± kp and 
,3 ± kp (k — 0, 1, . . .). The cost of avoiding trial division is that the Yi's are 
of order 0(M N^ 2 ) and therefore they are less likely to factor over FB than 
the Y''s generated by the Continued Fraction Algorithm. However, avoiding trial 
division more than compensates for the increased size of the Yi's. A variation 
on the Quadratic Sieve Algorithm is the Multiple Polynomial Quadratic Sieve 
[8] (MPQS), which uses several polynomials as a way to fight the increase in 
the size of the Y,'s. The latter is currently the algorithm of choice for factoring 
integers which are about one hundred digits long. 
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We show how to produce a long sequence {(Xi,Yi)} 2 l^ of integers modulo 
N which satisfy X? = Y { modulo N, where X { > N 1 ' 2 and \Yi\< cN l > 2 . Our 
sequence corresponds to a Hamiltonian path on the n-dimensional hypercube 
C n , where n is ©(log NJ log log N). One application of these techniques is that, 
at each vertex of the hypercube, it is possible to search for equations of the 
form U 2 = V modulo N with V smooth. The search is as in the quadratic 
sieve algorithm and therefore very fast. This yields a factoring algorithm which 
is faster than the Multiple Polynomial Quadratic Sieve algorithm, since moving 
along the hypercube turns out to be very cheap. The asymptotics of the new 
algorithm are as in MPQS. Therefore it is not asymptotically as fast as the 
recently discovered Number Field Sieve algorithm [3, 1]. 



2 Generating "small" quadratic congruences 

Let N be a large odd integer. We will use the symbol "=" to denote modular 
congruence, and we will restrict the use of "=" to equality. Let s, t be such that 

- t = rLj=i Pj> where the p/s are distinct primes ( n will be chosen later). 

- The prime 2 may be among the pj 's if and only if N = 1 modulo 4. 

- N is a quadratic residue modulo each pj . 

- s satisfies s 2 = N modulo t 2 and \s\ < t 2 . 

Lemma 1. Let c = t/N 1 / 4 . Let x = s/t modulo N and y B x 2 modulo N 
where y is the member of the residue class of x 2 with smallest absolute value. 
Then \y\ < CiN 1 ! 2 where ci = Max{c 2 - •p-,-^-}. 



Proof. Since s 2 = N modulo t 2 , we have s 2 = kt 2 + N for some (possibly 
negative) integer it. Then y = jj = " ^ N = ki \ ! i~ N = k, where congruence is 
modulo N. Thus we may choose y = k. Since s 2 < t A and t = cN 1 / 4 , we have 

M = l*l = 



s 2 -N 



t 2 



< M ax{t 2 - f , f } = N^Maxic 2 - 1, !>.□ 



Thus, if c G (1, \f^&), then \y\ < N 1 ! 2 (the golden mean strikes again!). 
Also note that Max{c 2 — -£i,-£s} is minimized at c = 2 1 / 4 . For c < 2 1 / 4 , the 
bound is 4y. For c > 2 1 / 4 , the bound is c 2 — 

By construction, there are 2" square roots of N modulo t 2 . Given the pj's, it 
is a simple matter to compute one such root si . By the Chinese Remainder Theo- 
rem, we may think of s\ as an n— tuple («i, . . . , a„), where a 2 = N modulo p 2 . 
Then the complete set of square roots of modulo t 2 is given by (±c*i , . . - , ±a n ) 
for all choices of signs ±. Any member of this set can be easily calculated as a 
sum 6j<Xjbj modulo t 2 where 

— 6j is the sign at the j— th coordinate. 

- bj is the unique element of which is 1 modulo p 2 and 0 modulo p? for 
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Note that there are two possible values for each c*y. We will choose, aj such 
that bjOtj modulo t 1 is less than y. 

The maximum size of n can be estimated from the familiar relation Y^ P <x ^ n P 
~ x, where the sum is over all primes p less than or equal to x. Since N is 
typically a quadratic residue modulo half of the first 2n primes we can estimate 
the maximum n from 2n ~ ir(x) where x satisfies Yi p <x P — ^ l ^ 2 (in tms wa Y> 
the product of the approximately n primes for which N is a quadratic residue is 
approximately N 1 ? 4 ). This implies J2 P <x m P ~ \ ' n -" v - an d so x ~ \ m ^ ■ Thus 
n ~ ~ In N) ~ i nln "j^ ln2 "= <9(log A7 log log A r ). 

Example : the RSA modulus 

The 129-digit RSA modulus 

Nrsa = 1 14381625757888867669235779976146612010218296721242362562561 

842935706935245733897830597123563958705058989075147599290026879543541 
is a quadratic residue modulo the 20 primes 

{2,5, 17, 19.29,37,41.43.47,59,79.97, 101, 103. 107. 113. 131. 151. 157, 163}. 

,1/4 

Letting t be the product of all these primes except 79, we get. t ~ l-OLV^.^. 
Thus, for this case we get n — 19. 

3 Traversing the hypercube 

The set of square roots of A r modulo t 2 can be thought of as the n-dimensional 
hypercube, where we connect two roots if and only if they differ at exactly one 
sign. A Hamiltonian path on the hypercube is defined by a starting point s\ 
and the sequence {ki}?_~ 1 of coordinate changes, e.g. kisa — 8 means the 130th 
move on the Hamiltonian path is a change of sign at coordinate 8. Let m = +1 
if move i switches a — sign for a + sign and /(,• = — 1 if move i switches a + 
sign for a — sign. Let fj = ctjbj modulo t 2 , where ctj,bj are as defined in the 
previous section. Note that, by our choice of ctj, we have 0 < fj < y for all j. 
Then we may define the 2-th square root of N modulo t 2 by 

s i+ i = St + 2/z,-7j fci -uiif 

where w,- is a correction factor to make s; £ (0, f 2 ). Note that a;,- is always —1,0, 
or +1. The sequence of w;'s can be easily computed from the few most significant 
bits of the jj's, and if simply allowed to be 0, the values of s,- will remain in a 
small interval (as shown by our next example). 

An n-dimensional cube C'„ is composed of two (?i — l)-dimensional cubes 
C^ijjC^j whose vertices are connected in a 1-1 fashion. Thus, a simple way 
to traverse the rt-cube is 
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- traverse C n _i^ 

(9) 

- move to ; 

- traverse C^_\. 

The recursive procedure works because on moving to C„_ 1 the algorithm 
finds itself at a node which is, up to isomorphism, the same starting node as 
in C^-i- From now on we will assume the Hamillonian path on the n-cube is 
generated by this procedure. 

Example : Traversing the 3-cnbe 

A traversal of the 3-cube yields 



i 


l 


2 


3 


4 


5 


6 


7 




l 


2 


1 


3 


1 


2 


1 


m 


-i 


-1 


+ 1 


-1 


-1 


+ 1 


+ 1 



Using w f = 0 for all i, this table gives the following values for the .Sj's. 



.So 




■Si 


- h\ 


■S3 




■S'2 








•Si 


-2(7i +72) 


•S-4 




■S3 


+ 2 7 i 






■Si 


- 272 


•So 




■S 4 


- 2 73 






■Si 


- 2(72 + 73) 


•Sfi 




«5 


- 2 7 , 






■Si 


- 2(7, + 72 + 


$ 7 




■S6 


+ 2 72 






■Si 


- 2(7, +73) 


«8 




■S7 


+ 2 7 i 






s\ 


-2 7 3 



The value of s$ could be larger in absolute value than 'It 2 , but no larger than 
3<". This illustrates the point that if the u>,-'s are not used then Si still remains in 
the interval ( — nt 2 , nt 2 ). 2 Also note that the sequence of jfc,-'s can be generated 



Different Hamiltonian paths on the hypercube might yield different bounds. 
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in linear time (to generate the sequence for C n simply put n between two copies 
of the sequence for C' ri _i). 
Thus the integer recurrence 

•s+i = si + '2fir/k, - : "Jit 2 

together with 

Xi = (fii/t) modulo ;V ; j/; s (x,) 2 modulo N 

yield 

| <Max{c 2 - ^,^}A' 1/2 

if yi is the, member of the residue class of t'\ with smallest absolute value. We 
will now produce an integer recurrence for the y,-\s. 
Note that, modulo A r , 

y 1 + ] = (si+i/tf 

(^) 2 modulo n] (2 ^7^ )2 + *SiVMk>-»<L 2 ) 



= J/i -f 



r- 



Since .s? = A r modulo / 2 and = A r modulo f 2 , we have (2/<r/fc, _ 

^ii 2 ) 2 + 2s,('2/tt7 ii - ^,:i 2 ) is congruent to 0 modulo £ 2 . Thus 

t 2 + t 2 

is an integer which is easily seen to be of order AT'/ 2 . This means the integer 
recurrence 

. (2/t,-7*, -u>it 2 ) 2 '2si{2fiijki - Wf< 2 ) 
lli+i - lh + 72 1 75 

holds. By lemma 1, y { can be chosen so that < c x N l l 2 where C\ = .V/ax{c 2 - 
t^tM- Again by lemma 1, the integer recurrence generates y,-'s whose absolute 
value is less than Max{c 2 - js, jj}N l/2 . 

Now let us traverse the hypercube "modulo p", where p is a small prime. 
This simply means generating the sequence of t/;'s modulo p. Assume p is not a 
factor of t. We may write 



Vi + ] ~ Vi + + siTi 
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where 



*i = 




r, = 



t 2 




Note that , 7, and zi 7 ; can take oti at most 6n values ( p,- can take on two 
values, Ui can take on three values, and 7^ can take on n values). Thus, ^,7", 
and Zij can be read from precompiled tables, of size 6n and indexed by p-i,u>;, fcj. 
Thus, computing , ,s, + 1 ) modulo p from (j/,-,.Si) modulo p involves one multi- 
plication and three additions modulo p. The cost of computing s; + i mod p from 
s, mod p is one addition modulo p. This fact will be used in section 4. 

Note that precomputation is not possible if p divides t, since then x l>{ and T l 
may not be defined modulo p. More specifically, <£i,Ti are not defined modulo 

Also note that, if A'* is not a quadratic residue modulo p, then p does not 
divide ?/;. This can be shown as follows: Suppose A r is not a quadratic, residue 

modulo p. Then p does not divide t 2 and therefore p divides tji = '^jr~ if an< ^ 
only if p divides s? — A'. But if this was the case then sj = N modulo p, which 
would contradict r.he assumption that N is not a quadratic residue modulo p. 

4 A factoring algorithm 

The algorithm consists of visiting .4 vertices of the hypercube and, at each vertex 
s, finding the values of A for which 



is i?-smooth. The optimal values of .4. B, and M will follow from the analysis of 
the algorithm. We actually do not compute the z\, but rather find the values of 



z x - (s/t + Xtf mod X 



(A G -M..M) 



A for which z\ is B— smooth. So that the z\ are "small'' . we will choose I ~ 
Notice thai 



jy'/-* 



2 A = (.s/f) 2 + AY 2 + 2.s-A mod A' = 




+ X-t' 1 + 2sX. 



Thus we set 




+ A 2 !* 2 + 2sX = 0 mod p 



This yields 

A = (-.s± \/N)r 2 modp, 



where \/~N is a modular square root. Therefore z\ is divisible by p for all A = 
kp+ D s and all A = kp + E s< where 



- k is an integer; 

- D s - (s + v77)r 2 mod p; 

- £, = (-s - vTVjr 2 mod p = D 3 - 2\fNT 2 mod p. 
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Thus, the "good" A modulo p are in arithmetic progressions. Therefore standard 
sieving techniques can be used to find those A for which z x is B-smooth. 

We may precompute >//V mod p, t~ 2 mod p, and —2\/N t,~ 2 mod p. Therefore 
computing D s and E s involves 

- one addition to compute s mod p (see section 3); 

- one addition and one multiplication to compute D 5 \ 

- one addition to compute E,. 

Thus the total cost of moving from one vertex of the hypercube to another is, 
essentially, three additions and one multiplication modulo p for each prime in 
the factor base. This is much cheaper than the cost of changing polynomials in 
the Multiple Polynomial Quadratic Sieve. 

We now show that the z x 's are about MA' 1 ' 2 in absolute value. Recall that 
i ~ ^y=r and consider 

z x = [s/i + Xt) 2 = («/f) 2 + A 2 ; 2 + 2.sA mod N. 

As in the proof of lemma 1 we have (ft/t) 2 mod N — k where .s 2 = kt 2 ■¥ N . Since 
a" < t 4 < A'", we have that k is negative. By lemma 1, [(.s/i) 2 mod .Vj = \k\ < 
M.\ nf2 . Assuming, for simplicity, that ( < K^r , we have A 2 * 2 < M 2 ^^- - 

MN xl2 . Since « < L 2 . we have |2.sA| < = 'IN 1 ' 2 « MN X > 2 . Thus 

z\ is, essentially, the difference of two numbers in the range (J..A7 A" 1 / 2 . We 
conclude that our algorithm is faster than the Multiple Polynomial Quadratic 
Sieve because 

- vertices m the hypercube correspond to polynomials in MPQS. 

- for each vertex, the cost of sieving 2M locations is the same in our algorithm 
as in MPQS. 

- the size of the quadratic residues considered is, as in MPQS, about A/ A'" 1 / 2 , 

- changing polynomials is much more expensive than changing vertices of the 
hypercube. Therefore the optimal value for the size of the hypercube path is 
bigger than the optimal number of polynomials in MPQS. This means that 
M will be smaller in our algorithm and therefore MA' 1 '' 2 will be smaller. 
Thus, our algorithm will generate smaller quadratic residues than MPQS. 

In practice there are many speedups to be included in an implementation 
of this factoring algorithm. All the enhancements described in [5] can be used 
with this algorithm. A rough estimate of how much faster this algorithm is than 
MPQS can be obtained as follows: 

Let T be the running time of the algorithm, in terms of arithmetic operations 
on single-precision numbers. Let V be the cost of moving from one vertex to 
another. Let S be the cost of sieving at each vertex. Suppose we sieve modulo all 
primes less than B for which N is a quadratic residue. There are about such 
primes. It takes four operations per prime to make a move on the hypercube. 
Therefore we can estimate V by 2w(B). We can estimate S by 1/2^Z <f? AM/p 
since for each prime p in the factor base about AM jp locations of an accumulator 
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array need be updated. We can estimate this sum by 6M. Thus our estimate for 
T is .4(5 + V) = 2An(B) + QAM . 

Let F(y,x) be the probability that a random number in Z y factors over 
primes smaller than x. The number of quadratic residues considered by our 
algorithm is 2 AM , and each can be thought of as a random number in Z\mn 1 I 2 \ ■ 
Thus about 2AM F(M N l/2 , B) of the quadratic residues will be B-smooth. 
Since we need about tt(B)/2 smooth quadratic residues, we set 

2AMF{MN l/2 ,B) = tt(B)/2. 

Approximating ir(B) by B / \n B and F{y,x) by (In x/ hi y) ln y ? ln x (see [4]), our 
problem is to minimize 

2AB/\x\ B + GAM 

subject to 

B na(MN l ' 2 ) \ '" B 
~ 4M In B V In B ) 

The solution to this optimization problem can be approximated numerically. For 
N ~ 1 0 1 00 , optimal values are 

,4 = 1.2 • 10 5 ; B = 1.4 ■ 10 8 ; M = 1.3 • 10 7 ;T = l.l ■ 10 13 

Assuming the cost of changing polynomials in MPQS is 50tt(B), 3 the numbers 
for MPQS are 

.4 = 5.8 • 10 3 : B = 1.9 • 10*; M = 4.5 • 10 8 ;T = 1.9 • 10 13 

Thus it appears that our techniques significantly improve on the running time 
of MPQS. 

4.1 Remarks 

1. The running-time predictions given above are very crude estimates. The true 
test of the running time of this algorithm will be its implementation. 

2. In practice, the uij's denned in section 2 can be set to zero without a signif- 
icant cost in the running time of the algorithm. Doing so has the advantage 
of diminishing the memory requirements of the algorithm. 

3. In practice, the factors of / should not be small primes. This is because the 
numbers being sieved have a chance of 1/p of being divisible by p when p 
divides t (as opposed to 2/p when p is an odd prime in the factor base which 
does not divide t). The resulting loss of smoothness is significant for small 
p. Because of this, the t we use in practice may not have as many factors as 
the optimization of parameters requires. 

3 This is 25 times as expensive as in our algorithm. Changing polynomials in MPQS 
involves arithmetic with large numbers. Hence the cost will depend on the particular 
implementation of large number arithmetic. The number 25 was arrived at using 
"ln++" , a c++ package developed at UWM. 
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4. Pornerance. Smith, and Tuier [7], and Montgomery (reported in [7]) propose 
ways of speeding up MPQS which are similar to the one proposed here. 
Their methods can be combined with the techniques being proposed here. It 
appears that doing so may further improve the running time of the algorithm. 

5. The number of vertices of the hypercube to be visited by the factoring algo- 
rithm should be at most 2 n-1 , where n is the number of factors of c. Other- 
wise duplication of polynomials occurs, since (s/t + \t) 2 and {(t 2 —s)/t + Xt) 2 
are essentially equivalent. 
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Abstract 

Elliptic curves defined over finite fields have been proposed for Diffie-Hell- 
man type crypto systems. Koblitz has suggested to use "anomalous" elliptic 
curves in characteristic 2, as these are nonsupersingular and allow for efficient 
multiplication of points by an integer. 

For anomalous curves E defined over F2 and regarded as curves over the 
extension field F2" , a new algorithm for computing multiples of arbitrary points 
on E is developed. The algorithm is shown to be three times faster than dou- 
ble and add, is easy to implement and does not rely on precomputation or 
additional memory. The algorithm is used to generate efficient one-way permu- 
tations involving pairs of twisted elliptic curves by extending a construction of 
Kaliski to finite fields of characteristic 2. 

1 Introduction 

Elliptic curves denned over finite fields have been proposed for Diffie-Hellman type 
crypto systems [7,4] as well as for implementation of one-way permutations [2]. In 
particular, in [3] Koblitz has described the class of "anomalous" elliptic curves which 
in characteristic 2 have the following useful properties 

1. They are nonsupersingular, so that one cannot use the Menezes-Okamoto- 
Vanstone reduction [6] of discrete logarithms from elliptic curves to finite fields. 

2. Multiplication of points by an integer m can be carried out almost as efficiently 
as in the case of supersingular curves. 

According to [3] an elliptic curve E defined over the field F g is called anomalous if 
the trace of the Frobenius map ((x,y) <-* (x',y')) is equal to 1. Equivalently, an 
elliptic curve over F q is anomalous if and only if the number of F, -points is equal 
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to q. As in [3] we will concentrate on curves in characteristic 2, and in particular on 
the anomalous curve 

E: y 2 + xy = x 3 + x 2 + \ (1) 

defined over F 2 . We will also consider its twist E over F 2 , which is given by the 
equation y 2 + xy = x 3 + 1. Subsequently these curves will be considered over the 
extension fields F2". Hereby let E n denote the F2" -points of the curve E, and E n its 
twist over Fjn. 

In applications, e.g., in a Diffie-Hellman key exchange, multiples mP of points 
P on the curve E n have to be computed. In standard algorithms for multiplication, 
e.g, by double and add, this is reduced to a number of additions of points on E n . 
Since these additions consume most of the computation time, it is desirable to have 
algorithms which need fewer additions on E n . In [3] it is suggested to express multi- 
plication by m as linear combinations of powers of the Frobenius map <f>, as these can 
be computed by iterated squaring in F 2 n which, in a normal basis representation, is 
easily accomplished by shift operations. In [3] expansions of the form 

m = £>^ (2) 

3 

are considered with Cj G {0, ±1}. With this representation of m the computation of 
mP can be reduced to / — 1 additions where I is the number of nonzero terms in (2). 
Therefore it is desirable to have short expressions (2). The expansions given in [3] in 
the average have twice the length of the binary expansion of m. 

In this paper we elaborate constructions of short expansions (2). In particular, in 
Section 2 we prove that there always exists an expansion m = Yl'jZl c i¥ °f length n, 
where n is the degree of the extension field (Theorem 1). The proof of Theorem 1 
leads to an efficient algorithm which produces expansions where half of the coefficients 
Cj are expected to be zero (Corollary 4). 

Our construction exploits the fact that the endomorphism ring End(£) of the 
curve E is related to the ring Z[a] - {a + ba | a, b £ Z} C C, where a = (1 -f- v/— 7)/2. 
In particular we will reduce the problem of finding ^-expansions in End(iJ) to finding 
a-expansions in Z[a], where we make specific use of the rich algebraic structure of the 
ring Z[a]. The computational complexity of the reduction algorithm is of magnitude 
of a n-bit integer multiplication. 

Since execution of ft is obtained almost for free, the ^-expansion of m allows to 
compute mP for an arbitrary point P on E n with n/2 additions in the average. As 
the computation of the (^-expansion is negligible compared with a full multiplication 
by m on the curve, this results in an improvement by a factor 3 compared to double 
and add without using precomputation or additional memory. At this point we note 
that other methods have been proposed for accelerating this operation (see e.g., [1]). 
However these methods only apply if the point P is assumed to be fixed. Furthermore 
they need precomputation with this predefined point P (and additional memory). 
Observe for example that P cannot be assumed to be fixed in the second step of a 
DifBe-Hellman key exchange protocol. 

Our results also apply to generate efficient one-way permutations based on elliptic 
curves. In [2] Kaliski has proposed a construction of one-way permutations involving 
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pairs of twisted elliptic curves over F p for large prime numbers p. It is easy to 
generalize the treatment in [2] to any extension field F p n of F p . In Section 3 we 
apply the construction to extension fields F 2 t> in characteristic 2. The treatment 
in characteristic 2 differs from the treatment in odd characteristic. However the 
construction in characteristic 2 appears to be particularly attractive, as arithmetic 
can be carried out efficiently. On certain curves, arithmetic can be accelerated by 
using the (^-expansion of multiplication by m. Restriction to curves with short <j>- 
expansion leaves enough freedom to find examples of curves with good cryptographic 
properties. 

2 Frobenius Expansion of Multiplication by m 

On an anomalous curve over F g , the Frobenius map <f> satisfies the characteristic 
equation T 2 — T + q — 0. We will also consider the twist E of E, whose Frobenius 
satisfies T 2 + T + q = 0. The number of F,-points on E is q + 2. The "n-twist" 
En. is the twist of E regarded as curve over the extension field F,n. Using the Weil 
conjecture (see [8, p. 136]), the number N n of F,->-points can be computed as 

N n = K - 1| 2 = |/T - 1| 2 = 1 + q" - a n - (3 n , (3) 

where a and /3 in C are the roots of the characteristic equation T 2 — T + q = 0. The 
number N n of points on the twist E n is given by iV n = \a n + l| 2 = 1 + q n + a n + f3 n . 
Equivalently, jV n and N n can be computed as N n = q n + 1 — a n and N n — q n + 1 + a n , 
where a„ = ot n + /3 n for n > 2 satisfies the recursion a„ = a n _j — qa n - 2 with the initial 
values a 0 — 2 and a.\ = 1. 

We now will concentrate on anomalous curves in characteristic 2, and in particular 
on the anomalous curve E : y 2 + xy = i 3 + x 2 + 1 defined over F 2 . Its twist over 
F 2 is given by E : y 2 + xy = x 3 + 1 . Let E n denote the curve E regarded over the 
extension field F 2 n, and E n its twist over F 2 n. 

Our aim in this section is to express multiplication by m as short linear combina- 
tions of powers of the Frobenius map d>, as this will lead to an efficient computation 
of multiples mP of arbitrary points on E n . In [3] expansions of the form 

are considered with Cj E {0,±1}. The expansions given in [3] in the average have 
twice the length of the binary expansion of m. On the other hand, from [5, p. 149] 
one concludes that there must be shorter expansions of the form 

n-l 

m - H a i<y> ( 5 ) 
possibly with larger coefficients, however. From [5] one can merely deduce that 

kl < 7. 

In the following theorem we show that one can construct expansions which simul- 
taneously satisfy the conditions of (4) and (5). 
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Theorem 1 For the anomalous curve E : y 2 + xy = x 3 + x 2 + 1 defined over F2, let 
E n be the curve regarded over the extension field Fj* . Then on E n multiplication by 
an integer m can be expressed as 

n-l 

™ = ]C C ^> (6) 

with Cj G {0,±1}. 

This theorem also holds for E n . The proof proceeds in several steps. First observe 
that the Frobenius map satisfies the equation <p 2 — <p + 2 = 0, and that there is 
a natural homomorphism from the ring Z[a] = {a + ba | a, b € Z} C C to the 
endomorphism ring End(iS) of E which maps a = (1 + i/— 7)/2 to tf>. Thus, if we have 
an expansion m = Ylj c i a ' in Z[or], we immediately get a corresponding expansion 
m = tZjCjft in Ead(E). This means that mP - T.j c j<*j(P) for every point P on 
E n . For finding such an expansion in Z[a] we will make use of the algebraic structure 
of the ring Z[a]. Note that Z{a] is an Euclidean domain with respect to the norm 
N(a + ba) = \a + ba\ 2 = {a + ba)(a + ba) = a 2 + ab + 2b 2 , a, b £ Z. For the proof of 
the theorem we will make use of the following stronger property. 

Lemma 2 For any s,t € Z[q], t ^ 0, there exist q : r £ Z[q] such that s = qt + r with 

N{r) < ~N(t). (7) 

Proof. The elements of the ring Z{a\ form a lattice in C, and the whole of C can be 
covered by triangles whose vertices are in Z[q], as depicted in Figure 1. Consider the 



*■ 






■ i 


■ a 








\0 
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Figure 1: The lattice Z[a\. 

triangle with vertices 0, 1 and a. The point r = l/2 + (3/(2\/7)) i is the center of the 
circumscribed circle of the triangle, as is easily verified by computing the distance of 
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r to each vertex, that is [r — 0| = |r — 1| = |r — a\ = 2/%/7. It follows that any other 
point in the triangle has distance less than 2/%/7 to some vertex. Since any point 
z £ C lies in some triangle, we conclude that for any complex number zeC there is 
an element u £ Z[a] with N(z - u) < (2/V7) 2 = 4/7. 

Now let s,t £ Z[a] with t ^ 0. Consider the quotient v = sjt computed in the 
quotient field of Z[a], i.e., in the field Q(a) = {a + 6a | a, 6 £ Q} C C. Then, as 
discussed above, there is an element q £ Z[a] with N(v — <j) < 4/7, and r = s — qt — 
t(v - q) has norm N(r) = iV(t> - ?)jV(<) < (4/7)JV(f), which implies that g,r £ Z[a] 
have the properties as stated in the lemma. □ 

Lemma 3 For any s £ Z[a] with norm N(s) < 2", n £ N, i/iere is an expansion 

3=^2 c ^ ( g ) 

o/ length n with Cj £ {0, ±l}. 

Proof. The proof is by induction on n. For n = 1,2, consider the elements in Z[a] 
with norm less than 4. These are the element 0 with norm 0, the elements ±1 with 
norm 1 and the elements ±or,±(l — a) with norm 2. For these elements the statement 
of the lemma holds as is seen by direct inspection. 

Now consider s £ Z[a) with N(s) < 2", n > 2. Since Z[a] is an Euclidean domain, 
s can be expressed as 

s = s'a -f c (9) 

with iV(c) < iV(a) = 2, i.e., with c £ {0,±1}. The idea is to reduce the problem of 
finding an expansion for s to the problem of finding an expansion for s'. If c = 0, i.e., 
if a divides s, the reduction (9) is unique. Otherwise, as a divides 2, there is always 
a reduction with c = 1 and another reduction with c = — 1. If the reduction could 
be done such that N(s') < N(s)/2 < 2 n_1 . the proof would easily be completed by 
induction. There are situations however, where there is no reduction with N(s') < 
N(s)/2, as we shall see below. We will distinguish between the following three cases: 

1. Non-critical case: There is a reduction (9) with N(s') < N{s)/2. 

2. Semi-critical case: There is a reduction (9) with jV(s') = N(s)/2. 

3. Critical case: There are only reductions (9) with N(s') > N(s)/2. 

If a divides s, we have the reduction s = s'a with c = 0 and N(s') = A r (s)/2, i.e., s 
is semi-critical. If a does not divide s, a is a divisor of both, s — 1 and s + l. In this 
case the type of the reduction turns out to depend on the absolute value of the real 
part 3t(s) of 5: 

1. Non-critical case: \9t{s)\ > 1. Assume for example that dt(s) > 1, as illustrated 
for s = si in Figure 2. Then N(s - 1) < N(s), and we have the reduction s = s'ct+1 
with N(s') = N(s - l)/N(a) < N(s)/2. Similarly, if »(s) < -1, we have s = s'a - 1 
with N(s') < N{s)/2. 
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2. Semi-critical case: \3t{s)\ = 1/2. Assume for example that = 1/2, as 
illustrated for s = s 2 in Figure 2. Then JV(s — 1) = N{s), and we have the reduction 
s = s'a+l with JV(a') = N(s - 1)/N(a) = N(s)/2. Similarly, if 8(a) = -1/2, we 
have s = s'a-\ with N(s') = N(s)/2. 

3. Critical case: lft(s) = 0. This is illustrated for s = s 3 in Figure 2. Then, by 
Pythagoras' theorem, N(s — 1) = JV(a + 1) = N{s) + 1, and we have the reductions 
s = s'a + 1 and s = s"a — 1 with 

N{s')=N{s») = !^t± (10) 

Since a" — s' = 2/a = 1 — a, either 5' or s" is not divisible by o. Assume that 5' is 
not divisible by a. We claim that 5' has a non-critical reduction. For this it suffices 
to show that \3t(s')\ > 1. 

Since 3ft(s) = 0, s must be of the form 5 = a a/— 7 for some odd integer a £ Z. 
Then s' can be computed in Q(a) as 

*' = (*- Da" 1 = („V=7 - 1)4(1 - >/=7) = ^ + ^v^7- 

4 4 4 

It follows that > 3/2. Hence 5' is non-critical. Similarly, s" is non-critical if a 

does not divide s". 
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Figure 2: 

Now the proof of the lemma is easily accomplished. In case that s has a non-critical 
or semi-critical reduction 5 = s'a + c, we have N(s') < N(s)/2 < 2 n_I . By induction 
hypothesis, s' has an expansion in a of length n — 1, which yields an expansion of s 
in a of length n. 

In case that s has a critical reduction s = s'a + c, we have according to (10), 
N(s') = (N(s) + l)/2 < 2"- 1 . Since the inequality N(s') < 2 n ~ 1 does not hold 
strictly, we cannot apply the induction hypothesis to s'. However, as discussed above, 
the reduction can be done such that s' has a non-critical reduction s' = s"a + c', i.e., 
N(s") < N(s')/2 < 2 n ~ 2 . Thus s = s"a 2 + c'a + c, and by induction hypothesis, s" 
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has an expansion in a of length n — 2, which yields an expansion of s in a of length 
n. This completes the proof of the lemma. □ 

Now we are in position to prove Theorem 1. As the curve E n is regarded over 
the extension field F2«, the Frobenius map satisfies the equation 4> n — 1. It follows 
that for any two a-expansions which are congruent modulo a n — 1 the corresponding 
^expansions yield the same endomorphism on E n . Therefore we compute the a- 
expansion of the remainder m' of the division of m by a n — 1 , 

m = q(a n - 1) + m, (11) 

where, according to Lemma 2, N{m') < (4/7) JV(a n -1). To obtain a bound on jV(m') 
we compute (see formula (3)) 

N{a n -l) = (a n -l)(/T-l) = (a£) n -(a n + /3 n ) + l - 2 n + l-(a n + /3 n ) = N n . (12) 

By Hasse's theorem (see [8, p. 131]), N n < f(n) = 2 n + 1 + 2 n > 2+l , and for n > 4, 
(4/7)/(n) < 2 n , as y(n) = 2 n - (4/7)/(n) is strictly increasing for n > 1 and strictly 
positive for n = 4. Hence for n > 4, N(m') < 2 n and the theorem follows from 
Lemma 3. For n < 3 the statement of the theorem can be verified directly. □ 

Note that an arbitrary element 3 = a + ba in Z[a] is divisible by a if and only if a 
is even. Hence with probability 1 /2 this element has a reduction of the form s = s'a, 
i.e., with c = 0. Continuing the reduction, it is to be expected that the intermediate 
results s' also have this property. This would imply that half of the coefficients c ; - in 
(8) can be expected to be zero. This has been confirmed experimentally. 

Corollary 4 (Experimental result) In the expansion m = jyjZo c j4> 1 half of the co- 
efficients Cj are expected to be zero. 

It is easy to compute the a-expansion of an arbitrary element s = a + ba S Z[a]. 
From the proof of Lemma 3 one can derive the following simple and efficient procedure 
which outputs Cj in ascending order for j. 

While a 0 or b jt Q do begin 
if a is even then 

c:= 0; 
else begin 

if 2a + 6 ^ 0 then c := sgn(2a + 6); 
if 2a + 6 = 0 then begin 

if a = 1 (mod 4) then c := —1; 
if a = 3 (mod 4) then c := 1; 
end; 
end; 

x :— (a — c)/2; a :— x + b; b :— —x\ 
output(c); 

end. 
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The problem of efficiently finding short (^expansions of multplication by an arbitrary 
m was addressed by Koblitz in [3]. In the above procedure, the amount of work 
to perform the division (11) is roughly of the same magnitude as to perform the 
reduction. This is of magnitude of a n-bit integer multiplication, and is negligible in 
comparison with a full multiplication by m on the elliptic curve. 

As execution of <^ is obtained almost for free, according to Corollary 4, multipli- 
cation by m can be carried out with n/2 additions in the average. This results in an 
improvement by a factor 3 compared to double and add without using precomputation 
or additional memory. 

The results of Theorem 1 and Corollary 4 may also be applied to the key exchange 
procedure suggested by H. Lenstra as mentioned in [3, p. 285]. In this suggestion 
one chooses expansions m = Yl]Zo where only a certain maximum number of 
coefficients Cj are allowed to be nonzero. However it is unclear which multiples are 
obtained when applying this restriction. Furthermore certain multiples could occur 
more than once which would result in a non uniform probability distribution of the 
chosen values of m, or in a non uniform distribution of the keys. Theorem 1 allows to 
obtain every multiple with the same probability by choosing m first and then making 
the reduction. 

3 One- Way Permutations on Elliptic Curves in 
Characteristic 2 

In [2] elliptic curves have been suggested as a tool for generating one-way permu- 
tations. Two constructions have been proposed in [2], one involving single elliptic 
curves and the other one involving pairs of twisted elliptic curves. Both construc- 
tions deal with curves over F p for large prime numbers p. As already observed in 
[2], the elliptic curves used in the first construction are supersingular, so that the 
Menezes-Okamoto-Vanstone reduction [6] can be applied. The second construction 
applies to arbitrary elliptic curves over F p for any odd prime number p > 3. It is 
easy to generalize the treatment in [2] to any extension field F p n of F p . 

In this section we apply the second construction to extension fields F2» in charac- 
teristic 2. The treatment in characteristic 2 differs from the treatment in odd char- 
acteristic. However the construction in characteristic 2 appears to be particularly 
attractive for the following reasons. 

1. Arithmetic in characteristic 2 can be carried out efficiently. 

2. On certain curves, arithmetic can be accelerated by using the ^-expansion of 
multiplication by m. 

3. Even restriction to anomalous curves leaves enough freedom to find curves with 
good cryptographic properties. 

In the following all curves are considered to be defined over fields with characteristic 
2. Recall that an elliptic curve in characteristic 2 is nonsupersingular if and only if 
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the j-invariant is nonzero (see [8, p. 145]). The normal form of an elliptic curve E 
with j(E) f 0 is given by 

y 2 + xy = x 3 + a 2 x 2 + a 6 , (13) 

where a 6 ^ 0. If a 2 ,a 6 are in F 2 ->, the curve is defined over F 2 ». The twist E of E, 
up to isomorphism, is given by 

y 2 + xy = x 3 + (a 2 + D)x 2 + a 6 , (14) 

where D G F 2 » is such that the polynomial t 2 + 1 + D is irreducible over F 2 » . Observe 
that E and E are non-isomorphic over F 2 >> but are isomorphic over F 2 »+i . Now we 
prove the analogue of Lemma 4.1 in [2]. 

Lemma 5 Every nonzero x £ Fr> appears either as x-coordinate of exactly two points 
on E or as x-coordinate of exactly two points on E. The elliptic curve E together 
with its twist E have order 2(2 n + 1), i.e., #£ + #£ = 2(2 n + 1). 

Proof. For a fixed x ^ 0 the equation in y for (x,y) to be on E can be written as 

e + t + c = 0, (15) 

with t = yjx and where c = (x 3 + a 2 x 2 + a 6 )/x 2 is a constant. Similarly, with the 
same notation, the equation in y for {x, y) to be on E is 

t 2 + t + (c+D) = 0. (16) 

The equation t 2 + t + c = 0 has a solution if and only if c is in the image of the mapping 
Q : F 2 » — > F 2 n, Q{t) = t 2 + t. Since Q is a homomorphism of the additive group F 2 n, 
with kernel F 2 , the image imQ is a subgroup of index 2 in F 2 *. By assumption 
t 2 + < + D is irreducible over F 2 «, hence D £ \mQ. As a consequence exactly one of 
the two elements c and c+ D is in im Q. This implies that exactly one of the equations 
(15) and (16) has (two) solutions. Thus we conclude that every nonzero x appears 
either as z-coordinate of exactly two points on E or as x-coordinate of exactly two 
points on E, which implies the first part of the lemma. 

For x = 0 we get the equation y 2 = a 6 for both curves. This equation always 
has exactly one solution, as squaring in F 2 " is a bijecticn. The latter holds as 2 is 
relatively prime to |F 2 n*| = 2 n - 1. Counting the points on E and E we get 2(2" - 1) 
points with x ^ 0, two points with x = 0 and the two points at infinity. This implies 
that + = 2(2" + 1) (which also follows from the Weil conjecture (3)). □ 

Our aim is to identify the elements of E and E with certain integers. For a 
given representation of the elements of F 2 r. as residues modulo a fixed irreducible 
polynomial, we first identify the elements of F 2 » with the integers 0,1, ... , 2" -1 as 
follows: The polynomial f(t) = c^r -1 + . . . + cit + Co E F 2 [t] considered as element 
of Fy. is identified with the integer c,-^"" 1 + . . ■ + c x 2 + cq. This bijection defines an 
Ordering of F 2 n. This ordering is in no way compatible with the algebraic structure 
d the field, but we can use it to construct a map t from E U E to the integers. 
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First we define I on E. For x 0 suppose that (x,y) £ E. Then (x.x + y) is 
the other point on E with the same x-coordinate. The idea in the definition of I is 
to map the point with the smaller y-coordinate to the set 1, ... ,2 n — 1 and the point 
with the larger y-coordinate to the set 2 n +2, . . . , 2 n+1 . 



l{x,y) = 0 if x = 0 and y = ^ (17) 

t(x,y) = x if x ^ 0 and y < x + y (18) 

£{x,y) = x + 2" + l if x^O and y>x + y (19) 

*(oo) - T (20) 

The definition of £ on £ is similar. 

l(x,y) = 2" + l ifx = 0andy = v^ (21) 

£(x,y) = x if x ^ 0 and y < x + y (22) 

£(x, y) = x + 2 n + 1 if i ^ 0 and y > x + y (23) 

*(oo) = 2 n+1 + l (24) 

Theorem 6 Let £ : y 2 + xy = x 3 + a 2 x 2 + a 6 be a nonsupersingular elliptic curve, 
and E : y 2 + xy = x 3 + (a 2 + D)x 2 -f a 6 tis twist over F 2 n . T/ten the map I as defined 
in (17) - (24) is a bijection from £U E to the set of numbers {0,1, ... ,2 n+1 +l}. 

Proof. According to Lemma 5 the set of possible nonzero x-coordinates of points on 
E and on £ are disjoint. Therefore i, as denned in (17) - (24), is injective. Hence £ 
is bijective, as by Lemma 5 the two sets have the same cardinality. Q 

We now assume that both curves £ and E are cyclic with generators G £ E and 
G e E. Lei N denote the order of E. Then we define a map / : {0, . . . ,2 T1+1 + 1} 
{0, ... ,2 n+1 +l}, as in [2] by 

f(m) = i(mG) if 0 < m < N (25) 
/(m) = l(mG) if N <m< 2 n+1 + 2 (26) 

As a consequence of Theorem 6 we obtain the following 

Corollary 7 Let E : y 2 + xy = x 3 + a 2 x 2 + a 6 be a nonsupersingular elliptic curve, 
and E : y 2 + xy - x 3 + (a 2 + D)x 2 + a 6 its twist over F 2 n. If both curves E and E 
are cyclic, then the function f as defined in (25) and (26) is a permutation of the set 
{0, ... ,2" +1 + l}. 

As observed in [2], inverting the permutation / is equivalent to solving the discrete 
logarithm problem on the elliptic curves. 

Our aim is to find practical examples where both curves E and £ are cyclic. At 
the same time the order of each curve should have at least one large prime divisor 
such that computation of discrete logarithms is supposed to be hard. A finite abelian 
group is cyclic if and only if the p-primary component of the group is cyclic for each 
prime p dividing the order of the group. For the p-primary component for p = 2 we 
have 
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Proposition 8 For a nonsupersingular elliptic curve in characteristic 2 the 2-pri- 
mary component is always cyclic. 

Proof. Let P 0 = (x 0 , y 0 ) £ £ be a point of order 2, i.e. 2P 0 = 0, or P 0 — -Pa- For 
j( E) ^ 0 the curve E has the normal form y 2 + xy — x 3 + a 7 x 2 + a 6 , and the negative 
of a point P = {x,y) is computed els — P = (x, — y — x) (see [8, p. 58]). This implies 
that y 0 - -yo - x 0 , hence i 0 = -2y 0 - 0 and y 0 = i.e., there is only one point 
of order 2. □ 

In order to guarantee that the p-primary component is cyclic for odd primes p we 
are looking for curves whose order is not divisible by p 2 . For examples we concentrate 
on the anomalous curve E : y 2 + xy = i 3 + x 2 + 1 defined over F 2 as discussed in 
Section 2. Thus denote by N n the number of F^n-points on E and by jV n the number 
of Fan-points on E. The degrees n — 107 and n = 181 of the extension fields turn 
out to be favourable in view of the desired criteria. The prime factorization of the 
corresponding orders N n and iV n are given as follows. 

N w = 2-81129638414606692182851032212511 
N W7 = 4-40564819207303335604363489037809 

iV,8i = 2 ■ 122719 • 23531 ■ 530697483168464396730940889115599370835266943 
jV 181 = 4 • 1087 • 12671 • 115117 • 307339 ■ 1572431197704155598636826628289553813 

The first example contains prime numbers with 32 decimal digits. This example is 
already mentioned in [3]. The second example contains prime numbers with 45 and 
37 decimal digits, respectively. 
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Speeding up Elliptic Cryptosystems 
by Using a Signed Binary Window Method 
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Abstract. The basic operation in elliptic cryptosystems is the computa- 
tion of a multiple d-P of a point P on the elliptic curve modulo n. We pro- 
pose a fast and systematic method of reducing the number of operations 
over elliptic curves. The proposed method is based on pre-computation 
to generate an adequate addition-subtraction chain for multiplier the d. 
By increasing the average length of zero runs in a signed binary repre- 
sentation of d, we can speed up the window method. Formulating the 
time complexity of the proposed method makes clear that the proposed 
method is faster than other methods. For example, for d with length 
512 bits, the proposed method requires 602.6 multiplications on average. 
Finally, we point out. that eacli addition/subtraction over the elliptic 
curve using homogeneous coordinates can be done in 3 multiplications if 
parallel processing is allowed. 

1 Introduction 

Elliptic curves over a finite field F f , or a ring Z„ can be applied to implement 
analogs [9] [11] [13] of the Diffie-Hellman scheme [4], ElGamal scheme [6] and 
RSA scheme [15], as well as primality testing [7] and integer factorization [12][13]. 
Cryptosystems based on elliptic curves, called elliptic cryptosystems, seem more 
secure than the original schemes. For example, it is conjectured that the low 
exponent attack on the RSA scheme cannot be analogously applied to the at- 
tack on the elliptic RSA scheme using a low multiplier [9]. The basic operation 
performed on an elliptic, curve is the computation of a- multiple d-P of a point P 
on the elliptic curve modulo n, which corresponds to the computation of x d mod 
n. For a large n and d, the time complexity of elementary operations as well as 
the number of elementary operations are very high. Thus, reducing the number 
of such operations is important when implementing the above algorithms. 

One solution is a so-c'alled binary method [10] based on the addition chain 
[10] for multipliers d of d ■ P or exponents d of x d . In general, an addition chain 
for a given d is a sequence of positive integers 

a„ (= 1) — a i — a 2 — a r (= d), 

where r is the number of additions, and a, = aj + en-, for some k < j < i, for all 
i — 1,2,...,?'. The binary method is a systematic algorithm based on an addition 
chain with elements that, are powers of 2, i.e. a two- valued binary representation 
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of d. To evaluate d-P or x d , the ordinary binary method without pre-computation 
requires | [ '°g2 d J multiplications on average. The ordinary binary method 
does not always guarantee the minimum number of multiplications (the shortest 
addition chain). Obtaining the shortest addition chain is a NP-complete problem 
[5]. There have been many studies on the computation of x d [I] [2] [3] [8] [16] 
and a few studies on the computation of d ■ P [14] to achieve fast and efficient 
computation. Among the variants of the binary method attempted to speed up 
the computation of x d , Bos and Coster [1] proposed a heuristic window method 
based on an addition .sequence. The addition sequence is a generalized addition 
chain including the given set of values. In their algorithm, the two-valued binary 
representation of d is split into pieces (windows), and the value of each window 
is computed in shorter addition sequence. 

An addition chain can be extended to an addition-subtraction chain [2] [10] 
[14], with a rule a* - Cj ± «t in place of a* = aj + a-k- This idea corresponds to 
the evaluation of x d using multiplication and division. For integers, division (or 
the computation of a multiplicative inverse modulo n) is a costly operation, and 
implementing this idea does not seem feasible. The reason why elliptic curves 
are so attractive is that the division in Z n is replaced by a subtraction, which 
has the same cost as an addition. An addition (subtraction) formula on elliptic 
curves does not contain a division in Z„ particularly when homogeneous coordi- 
nates are used. Thus, the addition-subtraction chain can be effectively applied 
to computations over elliptic curves. 

This paper proposes a fast and systematic method of computing a multiple 
d-P of a point P on the elliptic curve modulo ?7. By increasing the average length 
of zero runs in a signed binary representation of d, the window method can be 
speeded up. The organization of this paper is as follows. Section 2 describes a 
new signed binary window method, clarifying the difference between previous 
methods and the new method, and analyzes the number of operations for the 
proposed method. Section 3 shows that the proposed method is faster than 
other methods. Elliptic curves over a finite field and a ring and the addition 
formula over elliptic curves are briefly reviewed in Section 4. Then, serial/parallel 
computations implemented in homogeneous coordinates and affine coordinates 
are compared. 

2 New Method 

The proposed method is a window method based on an adequately chosen signed 
binary representation of d. The new method is described, clarifying the differ- 
ences between the previous window method [1] based on ordinary binary repre- 
sentation and the new one in this section. The window method is an extension 
of the 2*-ary method. For a given number d, the window method consists of 
four phases: (1) representation of d, (2) splitting the representation into seg- 
ments (windows), (3) computing all the segments, and (4) concatenating all the 
segments. 
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2.1 Representation 

For a given number d, the original window method uses an ordinary (two- valued) 
binary representation B : (b\ , 6a_i , • • • , M> where 6,- 6 {0,1}, A = [log2^J. 
The proposed method uses the signed (three- valued) binary representation T : 

[t L -u. ■ ■ ,ti,to], Il-i ± 0 for d satisfying d = ^i=o *« 2t > where U 6 {1,0, 1}, 
and 1 denotes —1. Note that in ordinary binary representation B is uniquely 
determined for a given d, but T is not. 

Morain-Olivos [14] and Jedwab-Mitchell [8] proposed algorithms to transform 
B into the equivalent T, for minimizing the weight (the number of non-zero 
digits) of T. Note that Morain-Olivos's method (MO method) is equivalent to 
Jedwab-MitcheJls method (JM method). We propose a new transform algorithm 
which increases the average length of zero runs in T, while minimizing the weight 
of T. The average length of the zero runs in specific T, denoted by Z(T), is 
defined as follows. 

i = 0 ^ 

where z{ — 1) = 0. 

Let B' be a subsequence of B, and let T' be a subsequence of T. A rule for 
transforming B' to equivalent T' is a.s follows. 

Transformation Rule 

B' : (1---V--1) can be transformed into V : [10 Tj, where U = 

bi-L 

Let # 0 (5') be a number of zeroes in B' , and let #y(B') be a number of non- 
zero digits in B' . The weight of V is estimated as #i(T") = 2 + = 
2 + Y2 \bi - 1| = 2 + #o(B'). Thus, the weight decreases by the transformation 
if #!(£') -#o(#')> 2 

The proposed transform algorithm inputs B in LSB first order and counts 
the difference D(B') = #i(B') — #o(j3'), and applies the transformation rule 
repeatedly to appropriate B' with D(B') > 3. The main difference between the 
proposed method and other methods is a threshold value (such as 3) to apply the 
transformation rule. MO method applies the rule to B' with D(B') > 2. Further, 
the output of both MO method and JM method are sparse, which means no two 
adjacent digits are nonzero. However, the output of the proposed method is not 
sparse. MO method and the proposed method generate T with same the same 
weight. Thus, the average length of zero runs of output, of the proposed method 
is greater than that of MO method. 
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The proposed transform algorithm is shown below. 

algorithm transform (input B: array, output T: array) 
begin 

M := Q;J := 0;V :=0;A' := 0;U := 0;V := 0;W := 0; Z := 0; 
while X < \}og<,d\ do begin 

if B[X] = 1 then V := Y + 1 else Y := Y - 1; 

A' := A" + 1; 

if M — 0 then begin 

if Y — Z > 3 then begin 

while J < W do begin T[J] := 5[J]; J := J + 1 end; 
T[J] := -1; J := J + 1; V := Y; U := A'; M := 1 
end else if Y < Z then begin Z :=Y\W := X end 
end else begin 

if V — Y > 3 then begin 
while J < U do 

begin T[J] := B[J] - 1; J := .7 + 1 end; 
T[J] := 1; 7 := J + 1; Z := Y; W := A"; A/ := 0 
end else if Y > V then begin V :— Y\ U := X end 

end 

end; 

if M = 0 V (M = 1 A V < V) then begin 

while .7 < A do begin T[J] := B[J) - M\ J := J + 1 end; 

T[J] := 1 - M\ T[J + 1] := M 
end else begin 

while .7 < {/ do begin T[J] := B[J] - 1; J := J + 1 end; 

r[-7] := 1; ./ := -7+1; 

while .7 < A do begin T[J] := B[J];J :- J + 1 end; 
T[J] := 1;T[J + 1] := 0 

end 

return T 

end 

[Example] For a given d = 25722562047811804942, the binary representation for 

d is: 

B : (10110010011111000111001011110011000000100110001000101111100001110) 
MO method transforms B into: 

T : [1 OTOTOO 1 0 1 OOOOTOO 1 00T0 lOTOOOTO 1 OTOOOOOOl 0 1 0T000 100 1 OlOOOOTOOO lOOTO] 
The proposed algorithm transforms B into: 

t ■. [lonooioiooooTooioooTToTooooTToTooooooiooiioooioooiiooooToooiooTo] 

The average length of zero runs for MO method is 1.29 and that of the proposed 
algorithm is 1.42. 
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2.2 Splitting 

The splitting phase is common t.o both ordinary binary representation B and 
signed binary representation T. Let w be the width of the window. B or T is 
split into segments with a length at most w. The following splitting procedure 
generates a list of all segments. For simplicity, the input array is represented by 
T. 

procedure split (input T: array, w: integer, output S: array) 
Let segment list S be empty 
while ( length (T) > w) 
begin 

Let W be the left w digits of T. 
Let R be T excluding W . 
Let W be W excluding the right O's. 
Let R be R excluding the left O's. 
Add new segment W to segment list S 
T:= R. 
end 

Add last segment T to segment list S 
return S 

[Example] Assume T is the signed binary representation generated by the trans- 
form algorithm in the previous example. When w — 4, the splitting algorithm 
outputs the list of segments as 

[ 1 0 1 1 0 0 1 0 L 0 00 OTOO 1 (J00 TTOTOO 0 OTTUTOO 0 0 0 0 1 0 0 1 100010001 looooloooioolo] 

where each block of underlined digits represents a segment. Note that the trans- 
form algorithm increases the run length of O's in the segment gaps. 

2.3 Computing the Segments 

In j9, the value of each segment is an odd positive integer up to 2 W — 1. In T, 
if xv > 3, the segment value never becomes 2 W — 1 or — (2 W — 1) because of the 
property of the transform algorithm. Thus, each segment value is an odd integer 
from —('2 W — 3) to 2*" — 3. The absolute values of all segments are obtained by 
the following simple addition sequence, ( i.e. 1 , 2, 3, 5, 7, . . . , 2 ! " — 3) 

a 0 = 1 , rtj = 2, a-, = 3, a; = +2 (3 < i < 2"'- 1 - 1) 

Therefore, in T, all segment values can be computed by at most 2 X "~ X — 1 addi- 
tions. In B, all segment values can be computed by at most 2 tL ' _1 additions. 

For the above example, segment values become {11, 5, 7, — 13, —13, 9, 1, 1, 3, —1,7}. 
Thus, all (absolute) segment values are computed by an addition sequence as 
1, 2, 3, 5, ... , 13 in 7 additions. 

In reference [1], Bos and Coster computed all segments using a heuristic ad- 
dition sequence. When the distribution of segment, values is sparse, the heuris- 
tic method may be effective. However, if the distribution is dense a systematic 
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method may be more effective. When A = 511 and w — 5, the distribution be- 
comes dense and consequently the proposed systematic method is more effective. 

2.4 Concatenating and The Number of Operations 

Concatenation requires doublings and non-doubling additions. 
For example, for the split T in the above example, concatenation is achieved by: 
dP = (( . (((IIP 2 2+3 + 5P) ■2 4+4 - IP) -2 3+4 - 13P). .) -2 4+1 - P) ■ 
2 3+4 + "P) -2 1 . 

The inner most 1 1 P corresponds to the most significant segment, and the expo- 
nent 2 + 3 corresponds to the sum of the length 2 of the following window gap 
and the length 3 of the next segment. 

Let L be the length of B or T. Note that L is A + 1 for B and L is A + 1 
or A + 2 for T. Let Z' be the average length of zero runs in the most significant 
windows for B or T. In other words, Z' is the average number of O's deleted in 
W by the splitting algorithm in the beginning. Let Z" be the average length 
of zero runs deleted in R by the splitting algorithm for B or T. The average 
length of the most significant segment is w — Z' . The number of doublings in 
concatenation is same as the length of T (or B) except for the most significant 
segment. Thus, the number of doublings in concatenation is L — (w — Z') for B 
and T. The average number of segments becomes L/(u>+ Z"), which corresponds 
to the number of non-doubling additions in concatenation. 
Thus, on average, the window method requires R operations: 

R=(L + Z'-w)+-^— + C, 
w + Z" 

where C = 2"'- 1 for D, and C = 2 W ~ 1 - 1 for T. 

2.5 Analysis of the number of operations 

In this subsection, parameters L,Z\Z" and w in the above expression R are 
analyzed. 

The length of T is either ( A + 1) or (A + 2). The transform algorithm outputs T 
of length A + 2 with probability 1/4. Thus, the average length of T, denoted by 
Z, is expressed by I = i • ( A + 2) + f ■ (A + 1) = A + 5/4. 

Let p be the probability that 0 occurs in B. If each digit in B is independent, a 
straight, analysis results in Z' = p(l -p u ')/(l -p) and Z" = p(l-p (L-w) )/(l-p) 
for B. If p = 0.5, then Z 1 = I - 2- w and Z" = 1 - 2^- £) . If w is significant, 
then Z" Z' w 1 for B. For simplicity, let Zq represent Z' and Z" for B. 

The expected value of Z(T) for all possible T, denoted by Zt, is analyzed as 
follows. The essence of the transform algorithm is represented by the automaton 
in Figure 1. The automaton inputs a sequence of bits{0, 1} of B in LSB first 
order, and outputs {1,0, 1}*. 

In Figure 1, each arc is labeled by an input digit b € {0, 1}. All output digits 
are determined by one of the following two functions. 
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f(M=/* -1 if *3 < «o, (M-f 1 if s 3 < 3 0 , 

\i otherwise, g \l otherwise, 

where the condition denoted by S3 < so means that S3 is visited before so by 
forthcoming transition. Solid arc corresponds to /(&), and dotted arc corresponds 
to g(b). 

Assume input (i.e. B) comes from a memoryless binary information source with 
p = 0.5. Let Zi be an average length of zero runs at state s^. Each value of z; is 
obtained by solving the following equations. 

' z 0 = (1/2)(1 + *,), 
ri = (1/2)(1 + : Q ) + (\/2)Prob(s 3 < s 0 |s 2 )(l + * 3 ), 
z 2 = (1/2)(1 + ; 3 ) + (]/2)Prob(s Q < s- 3 |s,)(l + zi). 
* c 3 = (l/2)(l + ;»), 

= 4 = (1/2)(1 + ; 3 ) + (l/2)Prob( $0 < s 3 \s 5 )(l + ; 5 ), 

. z- } = ( l/2)(l + : 0 ) + (]/2}Prob(s 3 < s 0 \s 4 )(l + c 4 ), 

where Prob(sj < Sj\$k) means the probability of the case of (s,- < Sj) from state 
si-. In the above equations, Prob(s3 < so\so) = Prob($o < s 3 |si) = Prob(so < 
« 3 |« g ) = Prob(s 3 < s 0 |s 4 ) = (1/2) + (l/2)(l/4) + (l/2)(l/4 2 ) + ■ ■ ■ « 2/3. Thus, 

20 — 1, 21 = 2, ^2 = 2, ^3 = 1, Z4 — 2, -5 = 2. 

Let pi be a stationary probability of state Sj. All pi are calculated by solving the 
equation V = M ■ V where V is the vector of all pi and M is the given transition 
matrix. The result is po = 1/4, p\ — 1/6, pa = 1/12, p 3 = 1/4, P4 = 1/6, ps = 
1/12. Therefore, Zy — ££=0 Pi • = 3/2 for the proposed method. Note that, 
Z T =4/3 for MO method and JM method. 

In summary, using L = A + - r >/4 and Z-j- = 3/2, the average number of operations 
R. for T, or Rj, is rewritten as: 

7? T = (A + ^-uO+^ ± | + 2 t "- 1 -l 
4 w + I 

The optimal value of window size w depends on the size of d. It is obtained by 
solving ^Rt — 0' F° r d with A = 511, w = 5 is the optimal window size. 

3 Comparison with other methods 

Brickell [2] proposed a fast hardware implementation of computing x d mod n 
using die precomputation of the multiplicative inverse a; -1 mod n. 
Morain and Olivos [14] proposed an addition-subtraction chain algorithm based 
on a binary method. Their method obtains c/ + , and c/_ for d(d — d+ — and 
computes d ■ P as (d + P) - (d_ ■ P). In MO method, d + ■ P (and c/_ • P) are 
computed using the ordinary binary method. The average number of operations 
for MO method is § A + 0(1). 
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Yacobi [16] applied the idea, of data compression (Lempel-Ziv's incremental 
parsing algorithm) to splitting binary representation. The average number of 
operations in Yacobis method is A + (log(A) - loglog(A))/2 + 1.5A/log(A), where 
A == [logof/J. In his method, the segment size is initially small, and increases by 
parsing B. This method is inefficient for small d such as A = 511 

Bos and Coster [1] proposed a heuristics for an addition sequence and used a. 
bigger window such as w = 10- This method requires an average of 605 operations 
for A = 511. However, their method is based on heuristics. 

A comparison of several addition(-subtraction) chain algorithms is shown in 
Table. 1. From Table. 1, the proposed method is seen to be faster than the other 
methods. 



Table 1. The number of operations for d of 512 bit length 



Method 


Chain 


Av. 


Worst 


Binary Method [10] 


A 


766.5 


1022 


Signed Binary Method [2] [8] [14] 


A/S 


681.7 


768 


Yacobi's Method [16] 


A 


635.1 




Window Method (w — 5) [1] 


A 


609.3 


630 


Bos-Coster's Method [1] 


A 


605 




Signed Binary Window Method (w - 5) 


A/S 


602.6 


629 



4 The Speed of Each Addition over Elliptic Curves 
4.1 Elliptic Curves over a Finite Field and a Ring 

Let A' be a field of characteristic ^ 2,3, and let o,6 6 A' be two parameters 
satisfying 4a 3 + 27lr ^ 0. An elliptic curve over A' with parameters a and 6 is 
defined as the set of points (x,y) with x,y £ K satisfying this equation on the 
affine plane 

y 2 — j,' 3 + ax + 6, 

together with a special element denoted O and called the point at infinity [11]. 
Elliptic curves over the finite field F f , with p elements, for some prime p, are 
denoted by E p . What makes elliptic curves interesting in cryptography and 
number-theoretic applications is the fact that an addition operation on the points 
of an elliptic curve E p can be defined to make it an abelian group. 

Elliptic curves over the ring Z„, where n is an odd composite square-free 
integer, can be defined in a similar way to E p . For simplicity, let n be the product 
of two distinct large primes p and q as in the RSA scheme[15] and the KMOV 
scheme[9]. Addition on E n , whenever it is defined, is equivalent to the group 
operation (defined by component) on E p x E q . Thus, every point P — {x s y) 
on E n can be represented uniquely as a pair [P P ,P q ] = [(x p ,y p ),(x q ,y q )] where 
P P G E P and P q € E q . Note that addition on E„ is undefined if and only if 
exactly one of the points P p and P q is the point at infinity. It is important to 
note that when all prime factors of u are large, it is extremely unlikely that the 
sum of two points on E n is undefined. 
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4.2 Addition Formulae over Elliptic Curves 

Let Pi — [x\,y\) and Pi — (0:2,2/2) be two points on the elliptic curve E p . The 
point P 3 = Pi + ^2"= (#3,1/3) is defined according to the following rules. If 
Pi - O, then P 3 = Pi + P'i = Pi- If Pi = -P2, that is, xi = x 2 and y x = -y 2 , 
then P 3 - Pi + P 2 - O. When Pi,P 2 ^ O, and Pj ^ -P 2 , an addition formula 
to find P 3 = Pj + P 2 = (a.' 3 ,</ 3 ) is given below according to two cases: a non- 
doubling addition formula where Pi ^ Pi and a doubling formula Pj = P2 
[11]. 

Non-doubling Addition Formula in Affine Coordinates 

{ x 3 = X- - xi - x 2 
(1) 
2/3 = A(a-i - x 3 ) - y u 

where A = [y>, - yj )/(a: 2 - ;t, ). 

Doubling Formula in Affine Coordinates 

x 3 — A- - 2a:! 

(2) 

y 3 = A(a:i - ,t 3 ) - y u 
where A = ( 3ar j +o)/2j/i. 

Note that a subtraction to find p 3 = P x — P 2 is defined by changing the sign of 
j/2 in the addition formula P 3 = Pi + P 2 . 

A point, (.i:.y) on the affine plane is equivalent to a point (X,Y,Z) on the 
projective plane, where a; = X/Z, y = Y/Z. That is, an elliptic curve is also 
defined as the set of points (X,Y,Z) in homogeneous coordinates satisfying the 
equation 

ZY 2 = X 3 + aXZ 2 + bZ 3 , 

together with the point at infinity (0,1,0). The non-doubling addition formula 
(1) and the doubling formula (2) in affine coordinates can be rewritten in ho- 
mogeneous coordinates. Replace a:, with Xj/Zi and ?/; with Y^/Zi (i = 1,2) 
and reduce the fractions of x 3 and 1/3 to a common denominator. Then, the 
resulting numerators of x 3 and y 3 become A' 3 and V 3 , and the common de- 
nominator becomes Z 3 . Let Pi = (X\,Y\,Zi) E E p , P% = (XitY?, Z2) S E p , 
and P 3 = {X$,Y3,Zz) € E p . The addition formulae to find P 3 = P^ + Pi in 
homogeneous coordinates are expressed as follows. 
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Non-doubling Addition Formula in Homogeneous Coordinates 

' A 3 = X\Z\ - 2A, 3 A' 3 ZiZ? + 2A,A' 3 Z\Zi - A'lVf ZjZj + 2X l Y 1 Y 3 Z?Z$ 
-WYfZfZ; - X$Z\ + X«Y?Z\Z% - 1X 3 Y X Y 3 Z\Z% + XnYfZfZi, 
i Y 3 = A*?r 2 Z? -2 X$YiZfZ 2 - Y$Z x A Z-> + 3 A'lA'fV'i Z\Z\ - ZX\X 3 Yi Z\Z%+ (3) 
2>YiY*Z\Zl + 2X?Y 2 Z l Z$ - 2Y?Y 3 Z?Z$ - A'f^Zj + ^"7,^, 
Z 3 = -X\ZxZ\ + 3A'?A' 2 Z 2 Z 3 - 3A' 1 A', 2 Z 3 Z? + .YjZfZj. 

Doubling formula in Homogeneous Coordinates 

' A 3 = 2V, ZAa-Z] + 6«A'f Z 2 + 9A? - SXiYfZj ), 

< V 3 = -o 3 Z 1 6 -9a 2 A'f2?-27oA'?Z 1 2 + 12oA' 1 V 1 3 Zp-27A'f + 36A' 3 y, 2 Z, -8^%*, (4) 
, Z 3 = 8V 3 Z 3 . 

By introducing moderate intermediate variables that are more moderate than 
ones in [9], addition formulae (3) and (4) can be revised to minimize the number 
of multiplications in serial processing. The revised addition formulae in homo- 
geneous coordinates are: 

Revised Non- doubling Addition Formula in Homogeneous Coordi- 
nates 

' A' 3 = VA 

, y 3 = U{ t V 2 XiZ 3 -A)-V 3 Y l Zi, (5) 

k z 3 = v z z x z 2 , 

where U = Y 2 Z X - Y X Z 2 , V = X 2 Z X - X X Z 2 , A - U 7 Z l Z 2 - V 2 T, T = 
A\Z, +X l Z 2 . 

Revised Doubling Formula in Homogeneous Coordinates 
f \ 3 = 2SH, 

< y 3 = W{4F- H)-8E-, (6) 
k Z 3 = 85 3 , 

where S = Y\Z X , W = 3A', 2 + aZ\, E - YiS, F - X X E, H = W 2 - 6F. 
Note that all of the above computations are modulo p or modulo n. 
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4.3 Performance Evaluation of Addition Formulae 

Computations of the multiples of a point on the elliptic curves E n can be per- 
formed in affine coordinates or homogeneous coordinates. The time complexity 
of the addition formulae implemented in these coordinates was compared. Each 
elementary addition over E n was calculated using addition, subtraction, mul- 
tiplication and division in Z„. For simplicity, addition, subtraction and special 
multiplication by a small constant such as 2yi and Z{x\) ware neglected because 
they are much faster than multiplication and division in Z„. In addition formulae 
(3)-(4) and (5)-((5) in homogeneous coordinates, contrary to addition formulae 

(1) -(2) in affine coordinates, the divisions in Z„ in each addition over E n can be 
avoided. Computation in homogeneous coordinates requires 1 division (I/Z3) in 
Z„ to obtain both X3 = X3/Z3 and t/3 = V3//J3 in the final stage of the chain. 
Note that division in Z„ can be implemented using the generalized Euclidean 
algorithm for computing the greatest common divisor. 

A serial computation of non-doubling addition formula (1) requires two mul- 
tiplications and one division in Z,,.. A serial computation of doubling formula 

(2) requires three multiplications and one division in Z n . A serial computation 
of non-doubling addition formula (5) required 15 multiplications in Z„. For the 
KMOV elliptic cryptosystem with a = 0, the computation of W in the dou- 
bling formula (6) can be simplified as W - %X\ . Thus, a serial computation of 
doubling formula (6) requires 10 multiplications in Z n . 

Assume that parallel processing of each addition over E n is allowed in spe- 
cial hardware. For simplicity, the time for communication among processors is 
neglected. In affine coordinates, parallel processings of non-doubling addition 
and doubling require the same computational complexity as those in serial pro- 
cessing. Consider parallel processing of the addition formula in homogeneous 
coordinates. In general, parallel multiplication permits any polynomial of degree 
2k to be computed in one step. from the set of polynomials of degree k, where 
each step requires the time of one multiplication in Z„ . The non-doubling addi- 
tion formula (3) consists of polynomials of degree 8 with 6 variables, therefore, 
the vaJues of A r 3, Y'3, Z3 can be obtained in 3 steps. The doubling formula (4) 
consists of polynomials of degree 6 with 4 variables (including a), therefore, the 
values of A'3, Y'3, Z3 can be similarly obtained in 3 steps. That is, the related 
terms of degree 2 are computed in the first step, the related terms of degree 4 
in the second step, and every term of degree 8 or 6 in the target polynomials in 
the third step. 

Denote c be the ratio of the computation amount of division in Z n to that 
of multiplication in Z n . Note that c > 1. Let R be the number of operations 
of addition formula in addition-subtraction chain. Assume that non-doubling 
additions occur with probability p n and doublings occur with probability (1 — 
p n }. For the proposed signed binary window method, we have p n « 1/6 and 
R fa 602.6 for A = 511 as described in Section 2. Table 2 shows the numbers 
of multiplications in Z„ in serial/parallel processings in affine coordinates and 
homogeneous coordinates. From Table 2, we can observe that serial computation 
in homogeneous coordinates is faster than that in affine coordinates if c > 8 
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and A = 511. Moreover, when A = 511, parallel computation in homogeneous 
coordinates is always faster than that in affine coordinates. 

Table 2. The number of mult./div. in Z n in the total chain 



Processing 


Coordinates 


mult. 


div. 


Serial 


Affine 


(2p + 3(l-p))rt 

«s 2.83 • R 


R 


Homogeneous 


(15p + 10(1 -p))R 
ss 10.83 • R 


1 


Parallel 


Homogeneous 


3 /?- 


1 



When the multiplication chain is carried out based on alphabetically ordered 
factoring in formula (3). 17 processors are needed in the first step, 29 processors 
in the second step, and 24 processors in the third . step. Since each processor 
can be used repeatedly, this multiplication system (or addition formula engine) 
requires 29 processors. Note that parallel computation of formula (4) requires 
less than 29 processors. As a result, each addition over the elliptic curve can be 
done in 3 multiplications if 29 parallel processors are used. 

5 Conclusion 

We have proposed a fast and systematic method of computing a multiple d ■ P 
over elliptic curves. This speeding up method is also applicable to computation 
in the group where the inverse operation is as fast as an ordinary operation. 
Furthermore, we pointed out that if parallel processing is allowed, each addition 
over the curve using homogeneous coordinates can be done in 3 multiplications. 
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otherwise 



Figure. 1 Automaton for the transform algorithm 
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Abstract 

This paper examines the following algorithm for generating a probable prime 
number: choose a random fc bit odd number n, and test the numbers n,n + 2, ... for 
primality using < iterations of Rabin's test, until a probable prime has been found 
or some maximum number s of candidates have been tested. 

We show an explicit upper bound as a function oft, t and 5 on the probability 
that this algorithm outputs a composite. From. Hardy and Littlewoods prime r- 
tuple conjecture, an upper bound follows on the probability that the algorithm 
fails. We propose the entropy of the output distribution as a natural measure of 
the quality of the output. Under the prime r-tuple conjecture, we show a lower 
bound on the entropy of the output distribution over the primes. This bound shows 
that as k — > oo the entropy becomes almost equal to the largest possible value. 

Variants allowing repeated choice of starting points or arbitrary search length 
are also examined. They are guaranteed not to fail, and their error probability and 
output entropy can be analysed to some extent. 

1 Introduction 

Apart from being mathematically interesting, it is well-known that efficient generation of 
prime numbers is of extreme importance in modern cryptography. 

Although prime numbers can be generated together with a proof of primality quite 
efficiently [8], using the Rabin test [10] remains in many cases the most practical method. 
This is true, even though this test allows some probability of error: it always accepts a 
prime number, but will sometimes accept a composite. The maximal probability with 
which this happens for a given composite is 1/4, but in general the probability is much 
smaller. 

Let x = 2 k , and let Mk be the set of odd numbers in the interval [x/2..x[, i.e. the set 
of odd numbers of bit length precisely k. 

An obvious method for generating a probable prime number is to choose uniformly an 
element n from and subject it to (at most) t independent iterations of the Rabin test. 
This is repeated until an n is found that passes t iterations. The error probability of this 
algorithm was studied in [4], 

An often recommended alternative to this method uses incremental search from a 
randomly chosen starting point (see e.g. [6] or [9]). This alternative is more economical in 
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its use of random bits, and can be optimized using test division etc. [2] to be significantly 
more efficient than the "uniform choice" method. Despite the practical advantages, an 
analysis of the incremental search method does not seem to have appeared before. Such 
an analysis will be the subject of this paper. 

Before going into details, let us mention some related work: Bach [1] also uses the 
increment function in connection with primahty testing. In his case, however, the incre- 
ment function is used to generate the witnesses for the test, not the candidate numbers 
as in our case. Moreover, the results of [1] are concerned with the probability that the 
test accepts, given that the input number is composite, whereas we of course want the 
"reversed" probability, namely the probability that the input number is composite given 
that the test accepts. Finally, the general results of Cohen and Wigderson [3] on reducing 
the error probability of a BPP algorithm at the cost of a few more random bits would be 
applicable in our situation, more specifically to the Rabin test itself. This could be used 
to reduce the worst case probability of 1/4 dramatically. However, what the following 
shows is essentially that this is unecessary in our case: for most input numbers, the error 
probability is already exponentially small, and since we are interested in an algorithm 
for generating random prime numbers, not the decision problem as such, we only have to 
worry about the average case behavior. 

We now give a more precise version of the algorithm we will look at. The description 
uses the notation above, and parameters s and t. 

ALGORITHM PRIMEINC 

1. Choose uniformly a number tiq € Mj.. Put n = no. 

2. Subject n to at most t iterations of the Rabin test. If n passes t iterations, output 
n and stop. 

3. Otherwise (if n fails an iteration), put n — n + 2. If n > no + 2a, output "fail" and 
stop, otherwise go to step 2. 

It is well known that this algorithm can be optimized by test dividing by small prime 
numbers before applying the Rabin test to a candidate. [2] contains an analysis of the 
optimal number of primes to use. We have omitted this for simplicity because it is clear 
that, independently of the number of small primes used, the error probability of the 
optimized version would be at most that of PRIMEINC. This is because the test division 
can never reject a prime, and so can only give us a better chance of rejecting composites. It 
is clear that the error probability might even become much smaller by using test division, 
but this seems like a difficult problem to analyse. 

2 The Error Probability 

In this section we will look at the probability that PRIMEINC outputs a composite. Let 
E be the event that this happens, and let qk, t ,, = Prob(E). Let C m C Mk be the set of 
composites for which the probability of passing the Rabin test is larger than 2 _m . 
In [4], the following upper bound is proved on the size of C m : 
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Lemma 1 

If m < 2\/k — 1 — 1. we have 

m 

\C m \f\M k \<aJ22 m - j - {k - lW , 

where a — 10.32. 

Let D m = {n £ Mk\ [n..n + 2s[nC m ^ 0}, for m > 2 and put (for convenience) D 2 = 0. 
We clearly have: 

Lemma 2 

D m CD m+ i and \D m \ <s-|C m |. 

This implies the following result: 
Theorem 1 

Let 3 — c ■ log(x) for some constant c. Then 

M 

ft,t,. < cfc(0.5 C fc P(C m )2-« m -^ + 0.7 2- iM ) 

m=:3 

where M > 3, and i 3 (C7 m ) denotes the probability that a random number in Mj, is in C m . 
Proof 

Identify D m with the event that the starting point n 0 is in D m . Then by Lemma 2, 
-P(An) < ^ ■ P(C m ). By the fact that D m C £ m+ i, we have 

M 

qk,u, = Yi p ( E n(D m \D m - 1 )) + P(En^D M ) (1) 

m=3 
M 

< £ F(£> m )P(£| (D m \ + P(E\ ^D U ) (2) 

m=3 

Now consider the probability that E occurs given that some fixed n 0 £ D m was chosen. 
Then no candidate we consider will be in C m , and so for any composite candidate, the 
probability of accepting it will be at most 2~ mi . The probability of outputting a composite 
clearly is maximal when all candidates are composite, in which case we accept one of the 
cadidates with probability at most s ■ 2~ mt . This means that 

9*,*,. < s 2 P(C m )2-^ + s-2-' M (3) 

m=3 

M 

< 0.5{ckf Y, P(C m )2-^ m -^ + QJck2- tM (4) 

m=3 



The theorem follows. 
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It is clear that we can get explicit bounds on q kti , by combining Lemma 1 and Theorem 
1, where the value of M should be optimized to get the best possible result. Table 1 shows 
concrete results obtained for c = 1,5 and 10. The following proposition gives a very rough 
idea of how the bound behaves for large k. 

Proposition 1 

For any constants c (where clog(z) = s) and t, q kA , as a function of k satisfies 

for some constant S. 
Proof 

It is sufficient to show the result for t = 1. From Lemma 1 we get that P(C m ) is less 
than a con stant times 2 m m2 _v ^, by observing that -j - (k - is always less than 
— 2\/k — 1. The lemma now follows immediately by inserting this in the result of Theorem 
1. 

3 The Failure Probability 

To get a good bound on the error probability, we should choose c to be as small as 
possible. The obvious disadvantage is that this is likely to increase the probability that 
the algorithm fails. 

To say something conclusive about this, we should clearly know something about the 
gaps between consecutive primes. Unfortunately, no unconditional result is known about 
this that would be strong enough for our purposes. However, Gallagher [5] has shown, 
based on Hardy and Littlewoods prime r-tuple conjecture [7], the following result: 

Lemma 3 

Under the prime r-tuple conjecture, we have: For any constant A, the number of n's in 
the interval such that the interval [n..n + Alog(i)] contains precisely k primes, is 

e~ x X k 
x — — — as x — ► oo 
k\ 

Let d(n) denote the distance from n to the next, larger prime. Then Lemma 3 means in 
particular (by taking k = 0) that for n chosen uniformly between 1 and x, the probability 
that d(n) > Alog(z) is exp{— A), as x — > oo. This is the only part of Gallaghers result 
we will need in the following. It implies that the expected distance to the next prime is 
log(a:). We have confirmed this experimentally (see Figure 1). 

The following lemma gives a corresponding result for the interval [x/2..x[. 
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Table 1: Shows — log 2 of the upper bound on q- Kl i tS as a function of k 
s = 1 log(:r), 5 log(x) and 101og(i). 
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Lemma 4 

Assume the prime r-tuple conjecture holds, and that PRIMEINC is executed with s = 
clog(z). Let p(c) be the probability that the algorithm fails. Then for any e, 

p(c) < 2exp(—2c) — exp(— 2c — e) as x — ► oo 

Proof 

Put A = 2c, and let p„(A) be the probability that d(n) > Alog(z), when n is uniform 
between 1 and y. Then 

P«(A) = l/2(p(c)+ Pt/J (A)) 

The lemma now follows from Lemma 3, since for any e > 0 and all large enough i, 
(A + e)log(a:/2) > Alog(s). 

This means that for large x, the failure probability is essentially exp(-2c), and cer- 
tainly less than 2exp(— 2c). By Theorem 1, the error probability increases at most quadrat- 
ically with c; we can therefore choose values of c for which both error and failure proba- 
bility are small. 

As a realistic example, suppose we put Jb = 300 and c = 10. Then we fail with 
probability about 2~ 28 , or 1 in 200 million times, and with t = 6 we still get an error 
probability of at most 2~ sl . It seems reasonable to make the error probability much 
smaller than the failure probability: a failure is detectable and can be recovered from, 
whereas as error is never detected, at least not by PRIMEINC itself. 



4 The Output Distribution 

This section is concerned with the quality of the output from PRIMEINC, in particular 
how the output is distributed over the possible primes. This is a critical point in crypto- 
graphic applications (e.g. RSA), where the output prime is to be kept secret. One should 
expect that an enemy knows which algorithm is being used to generate the primes, and 
it is natural to demand that this will not give him any significant advantage. 

We suggest to use the entropy of the output distribution as a measure of its quality. 
This is natural, since it measures the enemy's uncertainty about the prime generated. 
From this point of view it is clear that the optimal output distribution is the uniform 
distribution ever the primes in Mi,, since it has maximal entropy. By the prime number 
theorem, this maximal value is about H u (x) = log(z/2log(z)) for large x. Below, we will 
show that the entropy of the distribution output by PRIMEINC is very close to Hjx) 
for large x. 

Since we will be using the prime r-tuple conjecture directly in the following, we quote 
it here: _o 

Prime r-tuple conjecture 

For a fixed r-tuple of integers d = (d x , ■■■,d r ), let k^{x) be the number of n's less than or 
equal to x, such that n + di are all primes. For a prime p, let (/<j(p)denote the number 
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of distinct residue classes modulo p occupied by numbers in d. The conjecture now says 
that 

x 

ftd(x) ~ Sd; — r~r~ as x -* cc 
\og(x) r 

where 

c TT/ P v-i P-^(p) 

^-n^ — 

For r = 1, this is just the prime number theorem. For d = (0,2), it is a statement 
about prime twins, and here Saj « 1.32. 

By an argument similar to that of Gallagher, one can show that under this conjecture, 
the following holds: 

Lemma 5 

Let Fh(x) denote the number of primes p such that p < x and p — q < h, where q is the 
largest prime less than p. Then for any constant A, 

W*) = i^(i-«"*)(i + »{i)) 

as x — ► oo. 
Proof 

By definition of the nj's, it is clear that Fh(x) can be found using inclusion/exclusion: 

Fh{x)= T 0,dA x ) - £ KaJudiix) + Yl ^0,dudi,dA x ) 

l<ii<h \<di<d*<h I<ii<ij<<f 3 <A 

Using the prime r-tuple conjecture, we get that 

x 



as i -t oo. Using a modification of Gallagher's method from [5], one can show that 



So.d.,...,^ ~ — 

Kdi<-<d r <h r - 



as h ► oo, with a error term of 0(k r ~ l/2+e ) for any e > 0. Inserting this in the above 
and choosing h = A log(x) for a constant A gives us that 

^^^io^j^-^ + l-"^ 
which immediately implies the lemma. 

This lemma shows that the gaps between consecutive primes loosely speaking fol- 
lows an exponential distribution. It corresponds nicely with Gallaghers result since a 
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Poisson distribution in statistics results from counting random events with exponentially- 
distributed gaps occurring in a certain time slot. 

Let Fl(x) denote the number of primes p such that x/2 < p < x and p — q < h, where 
q is the largest prime less than p. It is a trivial consequence of Lemma 5 that 

^' (l) = i5|j (1 - e " A)(1 + o(1)) 

as x — + oo. 

We now return to PRJMEINC and consider the restriction of the output distribution 
to the cases where the algorithm does not fail. For simplicity, we will look at an "ideal 
PRIMEINC 1 that never accepts a composite; we let H(x) denote the resulting distribution 
over the primes in M k . By Proposition 1, the distribution of the real PRIMEINC only 
assigns a negligible amount of probability mass 1 to composite numbers, and hence the 
difference between the entropy of this distribution and H{x) will be negligible. 
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Theorem 2 

If ideal PRIMEINC is executed with s = c ■ log(x) for any constant c, then under the 
prime (--tuple conjecture, 

H{x) 
H u {x) 
as x — + oo. 

Proof 

The number of starting points n 0 that lead to non-failure will be called N. For a prime 
p, let d{p) be the distance to the largest prime smaller than p, and P(p) the probability 
that p is produced as output. Then 

PM _ / dip)/2N, if d(p) < 2clog(x) 
KP) \ 2chg(x)/2N, if d(p) > 2ch S (x) 

Now choose n + 1 constants 0 = A 0 < X-i < ... < A n+1 = 2c. By Lemma 5, the number 
of primes with A,- log(z) < d(p) < A, + i log(x) is 



21og(x) 

This gives us the following: 



( e -*- e -**i)(l + o(l)) 



= £ P(p)log(l/P(p)) 

x/2<j><x 

= £ £ p(p)iog(i/p( P )) + e P{v)\og{i/p{ P )) 

i=0 A; log{x)<d(j>)<A,4l los(r) d(p)>2cbg(r) 



1 Here, a probability is called negligible if, as a function of k, it converges to 0 faster than any polynomial 
fraction 
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k 


H(x) 


HJx) 


H(x)/HJx) 


17 


8.38 


8.65 


0.97 


31 


17.4 


17.7 


0.98 


64 


38.9 


39.8 


0.98 


128 


82.5 


83.5 


0.99 


257 


171 


172 


0.99 



Table 2: Shows estimates for the entropy of the output from PRIMEINC with infinite 
search length compared with the maximal entropy value. The values are exact for k = 
17,31, and are based on a sample interval of length about 2 27 for the rest of the values. 
Note that the entropy for any finite search length will be larger than the H(x) value 
shown. 



a(1 + » W )-( ? ^ I o g( ^)^(e--e-, 

2clog(x) , 2N 

V ' log; 



2N 6 2clog(x) 21og(z) 

- (i+oo))^ (me^j> (em«-*-.-*«) + *»~) + A ) 

where A is a constant. By Gallaghers result, N ~ i/4(l - e~ 2c ) as x — ► oo. We therefore 
get that 

JIfl it \ ( T A ■( e" A - - e~ x ^ ) + *>ce-^ 

H„{x) (l-e-^)lV ( ' J 

By choosing a larger number of A,-'s with smaller intervals, we can make the sum over i 
arbitrarily close to / 0 2c ye~ y dy = 1 - e _2c - 2ce -2c , which implies the result of the theorem 
since H(x)/ H u (x) is always smaller than 1. 

Thus, for large x, the entropy is very close to maximal independently of the value of 
c. In fact one can show by an argument similar to the one for Theorem 2 that if we take 
c = oo, i.e. allow the algorithm to run indefinitely until a prime is found, the resulting 
entropy would still be close to maximal in the same sense as in Theorem 2. Taking any 
finite value of c means that we are limiting the probability for any single prime to a certain 
maximum. Intuitively, this should make the distribution closer to the uniform one, and 
so the entropy should be close to maximal for any finite value of c; Theorem 2 confirms 
this intuition. 

We have done some numerical experiments to estimate how fast the convergence in 
Theorem 2 is. Table 2 shows the entropy for various values of k = logi{x) and an infinite 
search length. For k > 64 the values are estimates based on primes in an interval of length 
about 2 27 . Already for small values of fc, the entropy is close to maximal, and the value 
clearly tends to increase with increasing k, in accordance with Theorem 2. 

To illustrate the exponential distribution of gaps between primes, we plotted the fre- 
quency of gaps between primes in various intervals against their length. A logarithmic 
scale was used, such that a straight line should result, according to the exponential distri- 
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k=2S7 !!!;!:! 
— to- • ; ■ • • '■ 

Figure 1: The graphs here show the distribution of gaps between primes in M* and dis- 
tances to the next prime from a random starting point. The "sawtooth" graphs represent 
the gaps. Results for k = 17 and 31 are exact, the rest are based on samples of length 
about 2 27 . We plotted the distances divided by Iog(a;) on the horizontal scale against the 
logarithm of the frequences of distances. This normalizes the graphs such that they can 
be directly compared. The distributions predicted by Lemma 4 and 5 are representred by 
the straight lines 
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bution. The result can be seen in Figure 1. The straight line shown represents the values 
predicted by Lemma 5. 

5 Getting rid of Failures 

There are two obvious ways to remove the (unlikely) failures in PRIMEINC: 
Choose a new random starting point 

- and try a new search. The question is, however, how many times we will have to do this 
to make (almost) sure that we find a probable prime, and what will happen to the error 
probability in that case? 

Consider therefore an algorithm that simply iterates PRIMEINC with some fixed 
k,t,s = c - log(x) until a probable prime is output. 

By the prime number theorem, each starting point n 0 is prime with probability 0(fc _1 ). 
Therefore, there is exponentially small (in k) probability that the number of iterations is 
larger than, say, k 2 . This implies an upper bound on the expected running time. On the 
other hand, the error probability for k 2 iterations is at most 

by Proposition 1, and so still asymptotically smaller than any polynomial fraction. 

These arguments only give a very rough upper bound on the error probability and 
running time, but they add some theoretical justification to the algorithm, as they are 
unconditional results (independent of the prime r-tuple conjecture). 

One disadvantage of this approach, however, is that is seems very difficult to analyse 
the entropy of the output distribution. 

Let the search go on indefinitely 

- until a probable prime has been found. Let denote the error probability of this 
algorithm. It is clear that q- K ,t^ can be no larger than the error probability of an algorithm 
that first runs FRIMEINC with some finite 5 = ciog(x), outputs the number PRIMEINC 
produces (if one is found) and outputs a composite in the event of a failure. By Lemma 
4, this implies that under the prime r-tuple conjecture, 

?*,«,« < PM,dog(*) + e" 2c (l + o{\)) 

for any constant c. Thus we cannot say anything unconditional about the error probability, 
on the other band we can in this case analyse the entropy of the output distribution, as 
mentioned in the remarks following Theorem 2. 

The numerical evidence we collected leads us to conjecture that e~ 2c is a good over- 
estimate of the failure probability already for quite small values of Jfc, say, larger than 64. 
Figure 1 shows the actual distribution of the distance to the next prime in some example 
intervals, compared with the values predicted by Lemma 4. Assuming e~ 2c as an upper 
bound on the probability, we get that q kit:Xl < pk,t,cio t {x) + e~ 2c . 

Using Theorem 1 and optimizing for the value of c, one can get concrete estimates for 
<7*,t,ao- The results are shown in Table 3. 
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Table 3: Shows — log 2 of the upper bound on qk,t,co as a function of k and t assuming 
that the failure probability of PRIMEINC with * = clog(x) is at most e -2c . 

6 Conclusion 

We have shown some explicit upper bounds on the error probability of the PRIMEINC 
algorithm. Together with the prime r-tuple conjecture, these bounds show that we can 
choose the maximal length of the search such that both the error probability and the 
failure probability are in practice negligible, even for quite small values of t. 

Moreover, under the prime r-tuple conjecture, we have seen that the uncertainty about 
the prime produced by PRIMEINC is very close to maximal, for any value of c, including 
c = co. This strongly suggests that, compared to a uniform choice, there no significant 
loss of security when using PRIMEINC in cryptographic applications where secret primes 
are required. 

For the case where one iterates PRIMEINC if no probable prime is found, we have 
seen unconditional results on the running time and error probability. In the case where 
in stead the search is allowed to go on indefinitely, the prime r-tuple conjecture implies 
results on both running time, error probability and entropy. 

r 
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Abstract. Cryptographic ideas and protocols that are accessible to chil- 
dren are described, and the case is made that cryptography can provide 
an excellent context and motivation for fundamental ideas of mathemat- 
ics and computer science in the school curriculum, and in other venues 
such as children's science museums. It is pointed out that we may all 
be doing "Kid Krypto" unawares. Crayon-technology cryptosystems can 
be a source of interesting research problems; a number of these are de- 
scribed. 

1 Introduction 

The purpose of this paper is to open a discussion of cryptography for children. 
The fruits of this discussion can serve several worthwhile purposes, such as: 

(1) the popularization of cryptography with children and the general public 
through such forums as children's science museums, 

(2) the enrichment and improvement of the school mathematics curriculum by 
providing a stimulating context for logical and mathematical modes of thinking, 
and 

(3) the amusement and intellectual stimulation of researchers. 

We hope to convince the reader that devising ways to present the fundamental 
ideas of cryptography to children not only makes it possible to expose children to 
some electrifying mathematics, but also can be stimulating for our own research 
and can give us a fresh perspective on what we do. 

In the following sections of this paper we will describe some examples of 
cryptographic ideas and constructions that have been or could easily be presented 
to children. Some of these might be characterized as pre-crypiography, i.e., they 
involve certain elements of cryptography but do not yet constitute a sophisticated 
protocol. Others are fully developed cryptosystems. The following assertions 
summarize our outlook. 

• By its very essence, cryptography is a most excellent vehicle for presenting 
fundamental mathematical concepts to children. 

Cryptography can be broadly denned as "mathematics/computer science in 
the presence of an adversary." Implicit in any discussion of cryptography are 
elements of drama, of theater, of suspense. Few things motivate children as much 
as wanting to defeat the "bad guys" (or play the role of bad guys themselves). 
Children are in the business of decrypting the world of adults, and many of the 
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video games that are now popular with children involve deciphering "clues" in 
order to achieve some goal. 

Cryptography's ability to excite children has long been understood by ad- 
vertisers of products like Rice Krispies and Crackerjacks. Many of us grew up 
quarreling with our siblings over who was going to get the decoder ring in the 
Crackerjacks box. Currently, boxes of Rice Krispies have on the back a "secret 
algorithm" age guessing game based on binary representation of integers. 

• Kid Krypto is a source of interesting research problems. 

We are essentially proposing a new criterion for deciding that a cryptosystem 
is worthy of attention: accessibility. As in the case of the more traditional criteria 
— efficiency and security — the search for cryptosystems that meet the accessi- 
bility standard naturally leads to interesting theoretical and practical questions. 
It is a new challenge to determine how much can really be done with mini- 
mal mathematical knowledge, and to find ways to present cryptographic ideas 
at a completely naive level. Moreover, experiences working with children have 
suggested some provocative problems in discrete mathematics and theoretical 
computer science, some examples of which will be described later. 

A newly proposed cryptosystem might not be efficient enough or secure 
enough to compete in the realm of adult cryptography with those that already 
exist, but may nevertheless be of tremendous pedagogical value and merit our 
attention for that reason alone. In addition, it seems clear that interesting ques- 
tions are likely to arise when we take a second look at some cryptosystems that 
have been too quickly forgotten. 

Even a cryptosystem that can be broken in polynomial time may be of use 
in Kid Krypto, if the mathematics needed to break the system is less accessible 
than what is needed to implement the system. For example, some versions of the 
Perfect Code system explained below can be broken by linear algebra modulo 
m, but the system can be implemented using nothing more sophisticated than 
addition modulo m. In other words, we are proposing a new security hierarchy, 
with such notions as accessible and secure for ages 5-10, accessible and secure 
for high school students, etc. 

• There is no sharp line between Kid Krypto and adult crypto, so it would be 
unwise for us to belittle the former. 

After all, the security of all of our cryptosystems depends upon our assumed 
inability to perform certain mathematical tasks, such as discover a fast factoring 
algorithm. If a space alien from a very advanced civilization were to visit the 
earth, she might be surprised to find us using cryptosystems based on factoring 
and discrete log. Suppose that on her planet polynomial time algorithms to 
factor integers, find discrete logs in finite fields, and even find discrete logs on 
nonsupersingular elliptic curves have been known for centuries, and are routinely 
taught in high school. She would regard RSA, ElGamal, etc. as suitable only for 
pre-high school children in her culture. 

In other words, in some sense we are all doing Kid Krypto, whether we know 
it or not. 

• Kid Krypto is best done without computers. 
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This is crayon-technology cryptography. The tools needed are: pencils, a lot 
of paper, crayons of different colors, and perhaps some pieces of string or sticks. 
There is no material obstacle to introducing Kid Krypto in poor school districts 
as well as rich ones — in Watts and Soweto as well as in Santa Barbara and 
Scarsdale. 

We see the absence of computers as a positive educational step. The public 
needs to understand that computer science is not about computers, in much the 
same way that cooking is not about stoves, and chemistry is not about glass- 
ware. What children need in order to become mathematically literate citizens is 
not early exposure to manipulating a keyboard, but rather wide-ranging expe- 
rience working in a creative and exciting way with algorithms, problem-solving 
techniques and logical modes of thought. 

Computers have been shamelessly oversold to teachers and school systems. 
In speaking to parents, teachers and school boards, many company representa- 
tives have taken the hard-sell approach: "If you don't buy our latest products 
you will be neglecting to prepare your children for the 21st century." Because 
of pressure from the companies and the media, computers have been fetishized 
to the extent that they threaten to become the Cargo Cult of the 21st century. 
Most of the time, computers serve as nothing more than an expensive distrac- 
tion. The main beneficiaries of all the hype have been (1) computer hardware 
and software companies, and (2) educators who receive generous grants for the 
purpose of finding a way to use computers in the schools. Most schools would 
probably be better off if they threw their computers into the dumpster. It is our 
prediction that the Golly-Gee-Whiz-Look-What-Computers-Can-Do school of 
mathematical pedagogy will eventually come to be regarded as a disaster of the 
same magnitude as the "new math" rage of the 1960s. 

2 Pre-Crypto 

In order to present cryptography to young children, there are certain "building 
block" ideas which are useful to present first, and that are engaging in their own 
right. We point to three of these in particular, and describe how they can be 
simply presented. 

(1) The notion of an algorithm, and of computational complexity. 

(2) The notion of a one-way function. 

(3) The notion of an information hiding protocol. 

2.1 Algorithms and Complexity 

There are now a tremendous number of delightful ways that the fundamental 
ideas of algorithmic procedure and computational complexity can be presented to 
young children. We mention here just a few of our favorites. The examples below 
have been tried out many times, with great success, with children sometimes as 
young as 5 or 6. 



374 



The first problem is Map Coloring. If you were to visit a first-grade classroom 
to share this lovely problem, you might very well arrive in a room full of children 
who are already coloring something anyway! You might tell the story of the poor 
Map-Colorer, trying to eke out a living with few crayons, and then pass out a map 
that needs to be colored. The definition of a proper coloring is visual, and can be 
illustrated with the maps at hand in the classroom. It is only a few minutes until 
most of the children understand the problem you have posed (finding out the 
minimum number of colors for the map you have passed out) and are puzzling 
away at it. As the children work to decrease the number of colors needed, you 
can display the "best known" solution so as to add to the excitement. 

It is a good idea to come to the classroom with plenty of copies of 3 or 4 
different maps. It is easy to generate a map that is two-colorable by overlaying 
closed curves. (Generating such a map is another topic the children may have 
fun thinking about). See Figure 1. In a typical first-grade classroom, children 
will figure out the algorithm for 2-coloring on their own, and they will see that it 
goes very quickly. It is easy enough to explain why it works: it has been called the 
"Have-to Algorithm" (if a country is red, then its neighbors have to be blue, and 
their neighbors have to be red, ...). Afterwards, you might distribute a map that 
requires 3 colors so that they can concretely contrast the 2-coloring experience 
with the apparent difficulty of finding a 3-coloring of a 3-coIorable map. 




Fig. 1. Example of a 2-colorable map generated by overlaying closed curves 

Another excellent topic for children is the problem of computing a Minimum 
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Weight Spanning Tree in a graph. Several efficient algorithms for solving this 
algorithmic problem are known and are routinely covered in college level courses 
on design and analysis of algorithms. The story we use to present the problem is 
meant to be entertaining, but it should be noted that there are many practical 
applications of this problem. 

The children are given a map of Muddy City and told the story of its woes 
— cars disappearing into the mud after rainstorms, etc. The mayor insists that 
some of the streets must be paved, and poses the following problem. (1) Enough 
streets must be paved so that it is possible for everyone to travel from his or 
her house to anyone else's house by a route consisting only of paved roads, but 
(2) the paving should be accomplished at a minimum total cost, so that there 
will be funds remaining to build the town swimming pool. Thus, the children 
are asked to devise a paving scheme meeting requirement (1), connecting up the 
town- by a network of paved roads, that involves a minimum total amount of 
paving. The cost of a paving scheme is calculated by summing the paving costs 
of the roads chosen for surfacing. For the map shown in Figure 2 a solution of 
total cost 23 can be found. 




Fig. 2. Muddy City 



The children work on the problem, usually in small groups, with the immedi- 
ate objective of finding the best possible solution. This was typically recorded in 
a place that everyone could see. Students were asked to describe their strategies 
and ideas, both as they worked and in a concluding discussion. In classrooms 
where the students kept mathematics journals, they also wrote descriptions of 
the problem and of their ideas on how to solve it. These math journals were 
instituted with great success in a second-grade classroom and a fourth-grade 
classroom. 

As part of the wrap-up discussion, we sometimes presented Kruskal's al- 
gorithm (one of several known algorithms for solving this problem efficiently). 
This method of finding an optimal solution consists simply of repeatedly paving 
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a shortest street which does not form a cycle of paved streets, until no further 
paving is required. It is interesting that the children often discovered some of the 
essential elements of Kruskal's algorithm and could offer arguments supporting 
them. (Rediscovering Kruskal's algorithm is not the point, of course.) 

This problem can be presented to children of ages 5-6 by using maps with 
distances marked by ticks rather than numerals, so that the total amount of 
paving can be. figured by counting rather than by sums. 

Minimum Dominating Set is another problem that can provide a nice illus- 
tration of the idea of computational complexity. Recall that a dominating set in 
a graph G = (V, E) is a set of vertices V C V such that for every vertex x of 
G, either x £ V or x has a neighbor y € V . 

The stories we have told for this problem generally run to the theme of 
facilities location. For example, in Tourist Town we want to place ice-cream 
stands at corners so that no matter which corner you might be standing on, 
you need only walk at most one block to get an ice-cream. See Figure 3 for an 
example of a small, somewhat difficult graph for which 7 = 6. 

We allow some time for the children to puzzle over the map of Tourist Town, 
gradually producing more efficient solutions. Often, none of them is able to find 
the optimal solution with only six ice-cream stands. The children usually get 
an intuitive sense that Tourist Town is harder than Muddy City; the former 
does not seem to lend itself to solution by a quick and simple algorithm. The 
contrast between these two problems — one solvable in polynomial time and the 
other apparently intractable — provides a concrete introduction to the notion 
of computational complexity. We will return to the subject of dominating sets 
(of a special kind) in Section 5. 

2.2 One- Way Functions 

After explaining that no one knows a good algorithm for Tourist Town, one can 
show that there is, however, a simple algorithm for "working backwards," i.e., 
starting with a set of vertices V that is to become an efficient solution and 
constructing a Tourist Town G - (V, E) around it. Namely, one uses a two- 
step process. First, one forms a number of "stars" made up of "'rays" (edges) 
emanating from the vertices in V . (Two rays from different vertices in V are 
allowed to have a common endpoint.) This graph clearly has V as a solution. 
Figure 4 below shows this step in the case of the Tourist Town example. The 
second step is to "disguise" this easy-to-solve graph by adding more edges. This 
clearly does not increase the number of vertices required in a dominating set, 
but it does make the original built-in solution harder to see. 

In this way it seems to be relatively easy to generate graphs on a small number 
of vertices (e.g. 25-30), having a known dominating set of size 6 < 7 < 10, for 
which it is relatively difficult to work out a solution of size 7 by hand. However, 
no mathematical results are presently known that quantify the computational 
difficulty of problems such as this for graphs of small size. 



Fig. 3. Map of Tourist Town 



This is a nice example of the idea of a one-way function. The children may 
look forward to trying out on their parents the process of creating a graph for 
which they secretly know a difficult-to-match solution. Open problem: can we 
sell this to Rice Krispies? 

Remark 1. If the two-step "hidden solution" construction described above is 
modified by (1) in the first step, requiring that no two stars share a common 
vertex, and (2) in the second step, requiring that the additional disguising edges 
be added only between vertices not in V , then the hidden solution will be a 
perfect code in G — {V,E). (A more precise definition of a perfect code will be 
given later.) This modified construction is useful for the Perfect Code public key 
cryptosystem described in Section 4. 

Remark 2. In presenting the Dominating Set problem to children in El Salvador, 
the authors had to confront an example of the general problem of cultural ap- 
propriateness of the stories used to introduce these topics. We found that in El 
Salvador, as would be the case in many places in the world, the idea of mini- 
mizing the number of ice-cream stands makes no cultural sense whatsoever. So 
we changed the setting for the Dominating Set problem, presenting it by means 
of a story about minimizing the number of wells in order to achieve an efficient 
water supply for a village. Such a story is appropriate for a Third World context 
but would make no sense to children in the developed world. 
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Fig. 4. The first step in the construction of Tourist Town: a configuration of stars 
2.3 Information Hiding Protocols 

A simple illustration of this is a method for computing the average allowance 
of children in the classroom, without revealing any individual's allowance. The 
protocol goes like this. The first person picks a large integer randomly, and 
adds to it her allowance. The sum is passed secretly to the second person, who 
adds to it her allowance, and so on. After all the allowances have been privately 
added in, the final sum is secretly passed by the last person to the first person, 
who subtracts her original secret large integer and computes the average for the 
group. 

3 The Peruvian Coin Flip 

One of the key issues we must face in designing crayon-technology cryptosystems 
is: what interesting functions can 7-year olds (for instance) compute reliably? 
That is, what sort of by-hand computing do we have available to work with? 

With a little thought, we can see that interesting computations can be per- 
formed by young children to provide the computational engines for cryptosys- 
tems. For example, the outputs of Boolean circuits can be computed; finite-state 
automata and Mealy machines can be operated. (In principle, Turing machines 
can also be operated by paper and pencil, but our experience suggests that they 
are somewhat slow and unwieldy.) Cellular automata, if they are not too com- 
plicated, may offer another interesting possibility. Simple rewrite systems are 
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another candidate for accessible calculations. The following protocol is based on 
Boolean circuits. 

This protocol was first demonstrated by the authors with children in Peru 
(hence the name). The idea of trying out a crayon-technology cryptosystem in 
Peru seemed natural for several reasons. In the first place, the improvement of 
mathematics education is currently a hot topic of discussion among educators in 
Peru, as in much of the Third World. In the second place, developing countries 
(and international science development organizations such as the Kovalevskaia 
Fund ) have a special interest in the possibility of enhancing math and computer 
science education in situations where machines are not available. 

We first told a story to explain how the need for such a coin-flip protocol 
might arise. The women's soccer teams of Lima and Cuzco have to decide who 
gets to be the home team for the championship game. Alicia, representing Lima, 
and Berta, representing Cuzco, cannot spend the time and money to get together 
to flip a coin. So they agree to the following arrangement. 

Working together, they construct, a Boolean circuit made up of and-gates 
and or-gates (for simplicity, we allow only small and-gates and or-gates, and no 
not-gates). See Figure 5 for an example. In the construction process, each has 
an interest in ensuring enough complexity of the circuit so that the other will 
be unable to cheat (see below). The final circuit is public knowledge. Let n be 
the number of input bits, and let m be the number of output bits. 




^ig- 5. A Boolean circuit for the Peruvian coin-flip 
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Alicia selects an arbitrary input string, which she keeps secret. She puts the 
string through the circuit, and sends Berta the output. Berta must then try to 
guess the parity of Alicia's input, i.e., the sum of its bits mod 2. If she guesses 
right, then the teams play in Cuzco. If her guess is wrong (which Alicia must 
demonstrate to her by revealing the input string), then they play in Lima. 

Nothing in this description is hard to convey to a child of age 8 or above. 
Moreover, when we explain to the children the basic ingredient in the protocol 
(A-gates and V-gates), we are talking about a really basic concept — perhaps 
the most basic concept — in formal logical thought. There is certainly as much 
justification for teaching about A-gates and V-gates as for long division and 
addition of fractions! 

Remark. An alternative construction would be for Alicia and Berta each to con- 
struct a circuit with n input bits and m output bits. Both circuits would be 
public knowledge. Then Alicia would put her secret input through both circuits, 
and the final output would be the XOR of the outputs produced by the two 
circuits. This variant is "cleaner" in the sense that it avoids some interaction; 
but probably the first variant is easier to explain to kids. More importantly, the 
first variant is more fun, precisely because of the added interaction. 

3.1 Cheating 

Berta can cheat if she can invert the circuit, i.e., find the input (or inputs) that 
produce a given output. Alicia can cheat if she can find two inputs of opposite 
parity that produce the same output. It seems likely that both forms of cheating 
are infeasible if the circuit is large and complex. 

If the circuit maps many-to-one, we claim that the ability to cheat in Berta's 
role implies the ability to cheat in Alicia's role. Namely, we have 

Proposition 1. Suppose we have a family C of many-to-one Boolean circuits, 
with the property that for any output the proportion of inputs in its preimage 
of given parity (odd or even) is bounded from below. Further suppose that one 
has an algorithm that inverts any circuit of C in time bounded by f(n), where 
n is the size of the circuit. Then in time bounded by kfin) + p(n) (where p is 
a polynomial and k is a security parameter) one can find two inputs of opposite 
parity that give the same output. 

Proof. This result — both the statement and the proof — is completely anal- 
ogous to the result that the ability to take square roots modulo a composite 
number n implies the ability to factor n. Namely, to find the two desired inputs, 
select one input at random, and then apply the inversion algorithm to its output. 
With probability bounded from below, the inversion algorithm will give a second 
input of different parity for the same output. 0 

On the other hand, we can entirely prevent Alicia from being able to cheat 
by choosing a circuit that maps inputs to outputs injectively, i.e., it effects an 
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imbedding of {0. 1}" into {0, 1}'". If we suppose that the circuit is complicated 
enough to behave like a random map, then the next proposition shows that it 
suffices to choose m somewhat larger than 2n. 

Proposition 2. The probability that a random map from {0,1}" *° {0,l} m « 
injective, is asymptotic to I — 2~ (m ~ 2n+1 i as m — 2n — >■ oc. 

Proof, This is a restatement of a well-known combinatorial result (the "birthday 
paradox"). □ 



4 Perfect Code Cryptosystems and Molten Arithmetic 

The public key system which we will describe in this section can be designed 
with different levels of accessibility and security. The simplest version, which 
will be described first, can be mastered by a child who understands only (1) the 
simplest properties of graphs, and (2) addition (say, modulo 2 or modulo 26). We 
shall then describe a more complicated version, appropriate for older children, 
using what we call molten arithmetic. The latter term refers to the fluidity in 
the definition of the cryptosystem. That is, the rules for building the system can 
be adjusted according to the level of accessibility and security desired. 

We begin by considering a special kind of dominating set in a graph called 
a perfect code. In what follows, if u is a vertex of a graph C = (V, E), then the 
notation N[it] (the "neighborhood" of u) denotes the set of vertices which share 
an edge with u (including u itself). 

Definition3. A set of vertices V C V in a graph G = (V, E) is said to be a 
perfect code if for every vertex u g V the neighborhood N[u] contains exactly- 
one vertex of V . 

Figure 6 below shows an example of a graph with a perfect code. The vertices 
of the perfect code are indicated by open circles. 

Remark 1. Jan Kratochvil has shown that the problem of determining whether 
a graph has a perfect code is A r P-comp!ete for d-regular graphs, for all d > 3 
[3]- 

Remark 2. An interesting detour for kids along the way to our cryptosystem 
might be to investigate error-correcting codes. For example, let n be of the form 
2* - 1, and let G be the hypercube graph, whose vertices are {0, l} n C R" and 
whose edges are the edges of the n-dimensional unit hypercube. Then a binary 
Hamming code of length n — 2 k — 1 and dimension d — 2 k - k - 1 corresponds 
to a perfect code of 2 d vertices in G. For example, when k = 2, the (unique) 
Hamming code is the pair of opposite vertices (0,0,0) and (1.1,1) on the ordinary 
cube. 
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Fig. 6. Example of a perfect code in a cubic graph 

4.1 Version A L of the Perfect Code Cryptosystem 

This version is accessible to children of age 8. Suppose that the children have 
already mastered the Pre-Crypto topic construction of a graph that has a well- 
disguised perfect code (see the first remark of section 2.2). Now Alice wants to be 
able to receive an encrypted bit from Bobby. She constructs a graph G = (V, E) 
with a perfect code V . The graph G is her public key. Her private key is V . 

To send a bit 6, Bobby makes a random assignment of O's and l's to all of 
the vertices of G except one. He then assigns either a 0 or 1 to the last vertex 
in such a way that the sum mod 2 over all of the vertices is equal to b. Next, 
he replaces the bit c u assigned to each vertex u by a new bit c' u determined 
by summing (mod 2) all of the bits that had been assigned to the neighboring 
vertices: c' u = Y2 V £N[u] c *>- He finally returns the graph to Alice with the bits c' u 
annotating the vertices. 

To decipher the message, Alice takes the sum of c' u over the perfect code; 
that is, she has 6 = 5Z« e v c " - H u eK< c 'u' where the last equality follows from 
the definition of a perfect code. 

4.2 Version A 3 

The same as version Ay, but we make it more interesting by working modulo 26, 
so that Bobby can send Alice an enciphered letter b £ {A = Q, . . . , Z — 25}. 

Remark. Even if G is a complicated graph, both versions Ai and Ai of this 
cryptosystem can be broken in polynomial time using linear algebra (Gaussian 
elimination) modulo 2 (respectively, modulo 26). This will be shown later as a 
special case of a more general result. However, junior high school students have 
no more knowledge of how to do this than we have of how to factor integers in 
polynomial time. So with a judicious choice of G, versions Ay and Ai appear to 
be accessible and secure for junior high school. 
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4.3 Versions B and C 

We now describe more elaborate versions which are harder to crack. We conjec- 
ture that version B is accessible and secure for high school students. Version C 
might be secure even for adults — at least we do not know how to break it. 

First we need some notation and definitions. Given a graph G = (V, E), we 
assign a variable denoted a u to each vertex u 6 V. Suppose that G has a perfect 
code V. Let x,y € Z and m € Z U {oo}, m > 2. We let cr(x,y,m) denote the 
substitution scheme which evaluates a polynomial in the a u by setting a u = x if 
u £ V and a u = y otherwise, and performing the arithmetic modulo m (doing 
ordinary arithmetic in the case m = oo). 

By an invariant expression in a neighborhood N[u] relative to the substi- 
tution scheme <r(x,y,m) we mean a polynomial in the variables a v , v £ N[u], 
which evaluates to the same value irrespective of which vertex in N[u] is in the 
perfect code. Here are some examples: 

(1) For any substitution scheme, ^ZueA^u] a v ' s an invariant expression. More 
generally, any symmetric polynomial in the a v . v 6 N[u]. is an invariant expres- 
sion relative to any substitution scheme. 

(2) If the neighborhood N[u] has 4 vertices, whose corresponding variables 
will be denoted a,6,c, d, and we have the substitution scheme (7(2,1,3), then 
each of the following expressions is invariant: ab + c + d (always evaluates to 1), 
ab + ac + ad + a (always evaluates to 2). ab + be + cd + a + d (always evaluates 
to 1). 

(3) If the neighborhood N[u] has 4 vertices and we have the substitution 
scheme <r(2, 1, oo), then each of the following is invariant: ab + c + d, ab + be + 
cd + a + d, ab + cd, abc + d. 

We now describe versions B and C of the Perfect Code cryptosystem. In 
both cases the public key is the graph G = (V, E) and the substitution scheme 
<j(x, y,m) (i.e., a choice of x, y, m), the private key is the perfect code V , and 
the message Bobby wants to send is an integer b modulo m. 

Version C is the most general. To send the message 6, Bobby creates a 
large, complicated polynomial / from building blocks consisting of invariant 
expressions in neighborhoods of randomly selected vertices. This polynomial / 
must have two properties: (1) it evaluates to b under the substitution scheme 
cr(x.y,m); and (2) someone who knows / but not how it was constructed from 
the building blocks would have great difficulty decomposing / into invariant ex- 
pressions. Once Bobby constructs such an /, he sends it to Alice. Alice, who 
knows the perfect code, can correctly evaluate / without knowing how it de- 
composes into invariant expressions; she merely has to make the substitution 
<r(x,y,m). 

Version B is a special case of C. We use the substitution scheme er(l,0,m) 
{m is arbitrary). To send the message b (a certain integer modulo m), Bobby 
chooses an arbitrary set / of subsets of vertices S C V and a corresponding set 
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of integers cs such that Ylsti c s = b (mod m). He then forms the polynomial 

/= E cs n Yi a °- 

56/ uSSuGjVfu] 

Since each inner sum evaluates to 1, the whole expression obviously evaluates to 

Remark. Versions Ai and A2 are special cases of version B where / consists of 
one-element sets 5 = {u}. Then / = £ u6V , c u E ug jv[u] a * = Eugv c u a «> where 

4.4 Breaking Versions A r , A 3 and B 

Given a polynomial / in the variables a u , we want to find an identity of the form 

56/ u65w6A T [u] 

By writing both sides as a sum of homogeneous terms, without loss of generality 
we may assume that on the left side of the equation / is homogeneous of total 
degree d, and on the right side of the equation J is the set of subsets S C V 
of cardinality d. We regard the c$ as unknowns, and equate coefficients of each 
monomial on the left and right. There are ( n d ) unknowns Cs (here n = #V is 
the size of the graph), and there are {"' rd l ~ l ) monomials of total degree d, and 
hence ( n+ ^ _1 ) equations. Although there are more equations than unknowns 
(except in the case d = 1), we know that there is a solution, because the / in 
version B was constructed as such a sum of products. The solution can be found 
by Gaussian elimination. (In practice, the system of equations will probably be 
very sparse, in which case special methods are available.) 

Notice that if a! is unbounded, then the time required to do the linear algebra 
is not polynomial in the size n of the graph. However, the time is polynomial in 
the size of the polynomial / that Bobby sends to Alice, unless he has some way 
of producing sparse polynomials / (polynomials / with mostly zero coefficients). 
But we know of no way systematically to produce sparse polynomials that are 
difficult to crack. 

Remark 1. Any time the substitution scheme in use is <r(l,0, m) (as in version 
B), there is a simple way that Bobby can make the cryptosystem harder to break. 
Bobby knows that any monomial whose variables are not all in Alice's perfect 
code will evaluate to 0, and hence can be dropped from / before he sends / to 
Alice. Of course, Bobby does not know the perfect code. However, he knows that 
if a monomial contains two variables a u and a v corresponding to vertices which 
are at a distance < 2 from one another, then those vertices cannot both be in 
her perfect code, and hence the monomial can be dropped. 
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Remark 2. Notice that the / in version B are actually invariant under any sub- 
stitution scheme a(x,y,m). The / used in version C are much more general, 
since they are built up from expressions which need only be invariant under our 
one particular substitution scheme. Thus, the / in version C cannot, in gen- 
eral, be decomposed into building blocks made of symmetric polynomials in the 
variables in a neighborhood. 

Remark 3. In implementing these cryptosystems, the youngsters have to search 
for invariant building blocks and then build up complicated /, using the distribu- 
tive law and gathering similar terms so as to disguise the way / was formed. In 
this way Kid Krypto might add some excitement to the subject of polynomials, 
which is often presented in school in a dry, unmotivated manner. The decision 
as to what version of Perfect. Code cryptography to use — how complicated to 
make the possible / — depends on the age of the children and their ability to 
keep track of a lot of data. 

4.5 Cubic Graphs 

One way to keep the level of difficulty under control is to use only regular graphs 
of degree 3. Then the invariant expressions in any neighborhood involve exactly 

4 variables. The class of cubic graphs is still plenty complicated to support these 
cryptosystems — as mentioned before, determining whether a given cubic graph 
has a perfect code is NP-complete. We now describe a simple construction that 
gives a large class of cubic graphs having perfect codes. The construction is based 
on covering spaces of 7\ 4 , the complete graph on 4 vertices. 

The construction is as follows. Let n = 4no be the size of the cubic graph to 
be constructed. Select four sets of tiq vertices each, which we denote .4, B. t C, D. 
Then randomly create six one-to-one correspondences between the sets: A B, 
A as C, A a: D, B ss C, B « D, C =s D. Draw edges between vertices that 
are associated under any of these six bijections. Let G — (V, E) be the resulting 
graph. Notice that each neighborhood N[u] contains exactly one vertex from 
each of the sets A,B,C,D; and each of these sets is a perfect code in G. The 
construction is completely general: every covering space of A' 4 can be produced 
in this way. It is not presently known whether the problem of recovering such 
a vertex set partition for a graph that is known to be a cover of K$ is difficult 
in the sense of average-case complexity. The problem of deciding whether an 
arbitrary graph is a cover of A' 4 , however, has been shown to be /VP-complete 
[3]. 

5 Kid Krypto Research Problems 

The project of sharing the subject of cryptography with children leads to a 
number of interesting research problems. 
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5.1 Accessible Combinatorial Cryptosystems 

Kid Krypto gives us a reason to have another look at various proposals for 
cryptosystems based on simple combinatorics. For example, the public key sys- 
tem using reversible cellular automata proposed in [2] may have merit for Kid 
Krypto. Another combinatorially based cryptosystem was proposed by a group 
of researchers at Madras Christian College in India and the Hanoi Mathematical 
Institute in Vietnam. In [5], they show that a rewrite system — based on the 
word problem in a group — can be used to construct a public-key system. It 
would be interesting to try to adapt these ideas for Kid Krypto. 

It is worthwhile to develop a variety of examples of Kid Kryptosystems. 
In that way one can convey some of the richness and interconnectedness of 
mathematics, and at the same time give oneself flexibility when using Kid Krypto 
in the classroom. 

5.2 Other Fundamental Protocols 

At this point, a number of fundamental cryptographic primitives are still unex- 
plored from the Kid Krypto point of view. Can we find elegant and accessible 
implementations of oblivious transfer, secure 2-party computation, secret shar- 
ing, zero-knowledge proof, etc.? 

5.3 The Complexity of Small Things 

Crayon-technology cryptosystems work with mathematical objects that are es- 
sentially very small, mathematically speaking — such as graphs on fewer than 
25 vertices, circuits of similar size, and two' digit integers. From limited experi- 
ence, it seems that it is relatively easy to generate small hard examples for the 
Minimum Dominating Set problem, but small hard examples of the 3-Coloring 
problem for planar graphs seem to be more difficult to generate. Is it possible to 
study this issue mathematically? 

5.4 Breaking the Perfect Code Cryptosystem 

Can the most general version of the Perfect Code system (version C) be broken 
in polynomial time? 

5.5 Robustness Under Not Following Directions Properly 

Classroom experiences seem inevitably to turn up intriguing questions in a play- 
ful vein. For example, the following question arose when the first author pre- 
sented Map Coloring on one occasion. What is the minimum number of colors 
with which one can always color a planar map in a situation where one takes 
turns with an "incompetent helper" who is only assumed to color legally, but 
not necessarily judiciously' 7 A bound of 33 was recently proved [4] for this lovely 
problem. 
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In presenting the Peruvian coin-flip to a junior high school audience, the au- 
thors encountered the situation where children attempted to evaluate the 
n-input/n-output circuit upstde doxvn. This leads to the following natural ques- 
tion, to which we do not know the answer. Let us suppose that all gates of our 
circuit have fan-out (as well as fan-in) of 2. (An alternative would be to allow 
large gates, i.e., gates with arbitrary fan-in and fan-out.) In addition, let us put 
V's and A's in the input gates in an arbitrary way, with the understanding that 
such a gate (with a fan-in of 1) leaves the input bit unchanged. Under these 
assumptions the circuit makes sense if the child turns it upside down, of course 
with each V-gate now becoming a A-gate and vice-versa. A natural question is 
whether it makes much difference (to a cheater) whether the circuit is right side 
up or upside down. More precisely, can one find a family of circuits which are 
easy to invert, but which when turned upside down are hard to invert? Can the 
problem of inverting the circuits in some presumably hard-to-invert family C be 
shown to be polynomial time equivalent to the problem of inverting the upside 
down circuits of CI 

5.6 Physical Realizations of Cryptographic Protocols 

Some cryptographic ideas can be effectively demonstrated by employing physical 
props. Such demonstrations can be useful in conveying the central concepts of 
cryptography to children and other mathematically unsophisticated audiences, 
such as in popular lectures. Although in this paper we have focused on the design 
of cryptosystems accessible to children that are fully mathematical and do not 
rely on physical props, cryptosystems based on physical primitives might also 
prove to be a source of interesting mathematics for children. 

For example, a number of fundamental protocols, such as oblivious transfer 
and multi-party secure computation, can be nicely demonstrated by means of or- 
dinary playing cards [1], Note that these familiar physical objects have a number 
of cryptographically useful properties "built in": they have a convenient means 
of randomization (shuffling), are uniquely identifiable, and when face down are 
all indistinguishable. A number of entertaining research problems arise in con- 
structing cryptosystems based on such physical primitives (see [I] for further 
discussion). 

6 The Research Community and Mathematics Education 

The past year has seen the inception of at least three major projects originating 
in the research communities of mathematics and theoretical computer science to 
develop engaging mathematical materials for children in the elementary grades: 

(1) The education projects associated with the Center for Discrete Mathematics 
and Theoretical Computer Science (DIM ACS), located at Rutgers University. 

(2) The compendium project of the Association for Computing Machinery Spe- 
cial Interest Group on Algorithms and Computation Theory (SIGACT). 
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(3) The Megarnath Project of the U.S. National Laboratories in Los Alamos, 
New Mexico. 

All three of these projects are concerned with developing resource materials 
from the extensive treasury of accessible, active and applicable mathematics that 
has emerged in recent years in the intertwined subjects of discrete mathematics 
and computer science. 

DIMACS now publishes the newsletter In Discrete Mathematics (the pre- 
miere issue is dated Nov. 1991) which contains articles on topics in discrete 
mathematics intended to be useful to teachers introducing discrete mathematics 
to their classes. The newsletter will also serve as a networking service and clear- 
inghouse for ideas and materials related to discrete mathematics in education 
in the lower grades. Further information can be obtained from Joe Rosenstein 
(joer@math.rutgers.edu). Members of the cryptographic community who wish 
to contribute something would certainly be welcome. 

The S1GACT compendium project was initiated at the business meeting at 
STOC in May, 1992. The newly formed SIGACT Committee on Education has 
as its first goal the production of a compendium of theoretical computer science 
topics and presentation strategies that may be useful in a variety of settings 
with children (for example, children's science museums). This project makes no 
commitment to any particular direction in school curriculum reform: rather, it 
is simply a collective effort at science popularization. 

The Megarnath Project of the U.S. Los Alamos National Labs intends to 
influence classroom practice, by making schoolwork more like the experience 
one has in a good science museum. That is, the goal is to bring to children in 
the classroom a live experience of mathematical science as something in which 
they can actively participate. Thus, the Megarnath Project is looking into such 
things as (1) mathematics research problems accessible to children, (2) possible 
forums for children to present the results of their mathemat ical investigations, (3) 
extended projects for classroom investigation, (4) the classroom use of personal 
mathematics journals, and (5) opportunities for children to communicate with 
larger mathematical communities. 

The three initiatives in discrete mathematics and computer science described 
above join other efforts involving research scientists in elementary education. 
These include the Mathematicians and Education Reform Network sponsored by 
the AMS and the NSF, and the Scientists in the Schools program of the Sandia 
U.S. National Research Laboratories. Many scientists are now looking for more 
direct ways to work with children and stimulate grade school educational reform. 
This seems to be an idea whose time has come. 

Besides fitting in well with these initiatives, a program of classroom activ- 
ity centered around Kid Krypto is an ideal way to implement the Curricu- 
lum Standards of the National Council of Teachers of Mathematics [NCTM 
1989]. These standards, which stress the importance of mathematical thinking, 
problem-solving, communication, and connections between mathematics and the 
world, are a radical departure from earlier curriculum standards. (In the past, 
the mathematical curriculum was defined simply to consist of a list of topics.) 
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Moreover, the idea of presenting the mathematics of computers (without 
machines!) has proved to be attractive to organizations interested in promoting 
opportunities for women and minorities in science and technology, particularly in 
situations where funds for education are severely limited. One of the sponsoring 
organizations of the Los Alamos Megamath Project is the American Association 
of Historically Black Colleges. The Kovalevskaia Fund (a foundation for women 
in science in developing countries) has organized lectures and demonstrations on 
discrete mathematics in the classroom (including Kid Krypto) at universities in 
the Third World. 

We believe that the cryptographic community has an important role to play 
in the ambitious curriculum reform projects articulated by the NCTM and other 
organizations. Kid Krypto includes a tremendous wealth of vivid, accessible, ap- 
plicable, engaging and active mathematics in its treasury of ideas. The involve- 
ment of cryptologists and theoretical computer scientists in elementary education 
will have several effects — first and foremost in helping to clarify what computer 
science is about. Like any science, it is about ideas; it is not a Cargo Cult. 

One of the purposes of this paper is to encourage the reader to become 
involved in developing Kid Krypto and related materials for children. This can 
be done, for example, through the SIGACT compendium project. Contributions 
to this effort can be communicated to the first author. Even rough ideas in rough 
form are solicited, and will be credited in the compendium publication. 
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Abstract. The notion of a "proof of knowledge," suggested by Gold- 
wasser, Micali and Rackoff, has been used in many works as a tool for 
the construction of cryptographic protocols and other schemes. Yet the 
commonly cited formalizations of this notion are unsatisfactory and in 
particular inadequate for some of the applications in which they are used. 
Consequently, new researchers keep getting misled by existing literature. 
The purpose of this paper is to indicate the source of these problems and 
suggest a definition which resolves them. 



1 Introduction 

The introduction of the concept of a "proof of knowledge" is one of the many 
conceptual contributions of the work of Goldwasser, Micali and Rackoff [14]. This 
fundamental work, though containing intuition and clues towards a definition of 
the notion of a "proof of knowledge," does not provide a formal definition of 
it. Furthermore, in our opinion, the commonly cited formal definitions, namely 
those of Feige, Fiat and Shamir [6] and Tompaand Woll [18], are not satisfactory, 
and, in particular, inadequate for some of the applications in which they have 
been used. 

The purpose of this paper is two-fold. First, we would like to describe whence 
stem the flaws in the previous definitions and why these definitions do not suffice 
for some applications. We then propose a definition which we feel remedies these 
defects and also has other advantages. 

We note that a definition which is much better than those of [6, 18] has 
appeared in the work of Feige and Shamir [7], but the community seems unaware 
of the fact that the definition in [7] is fundamentally different from, and preferable 
to, the one in [6] (in particular, this fact is not stated in [7]). The definition 
we present differs in many ways from that of [7] which we feel still has some 
conceptual problems. Yet both have in common the attempt to capture provers 
who convince with probabilities that are not non-negligible, thereby correctly 
addressing what we believe is one of the main flaws in the definitions of [6, 18]. 
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Among the novel features of our new definition is that it allows us also to 
talk of the knowledge of machines which operate in super-polynomial-time. But 
this (and other novel features) we will discuss later; let us begin with the basics. 

1.1 Basic approach in defining proofs of knowledge 

Intuitively, a two-party protocol constitutes a "system for proofs of knowledge" 
if "whenever" one party (called the verifier) is "convinced" 3 then the other party 
(called the prover) indeed "knows" "something". The excessive use of quotation 
symbols in the condition of the above statement may provide some indication 
to the complexity of the notion. For simplicity, let us consider the special case 
in which the "object of knowledge" is a witness for membership of a common 
input in some predetermined language in NP. For example, let us consider the 
case in which the "object of knowledge" is a satisfying assignment for a CNF 
formula (given as input to both parties). Hence, a two-party protocol constitutes 
a "system for proofs of knowledge of satisfying assignments" if "whenever" the 
verifier is "convinced" then the prover indeed "knows" a satisfying assignment 
for the given formula. The clue to a formalization of "proofs of knowledge" is an 
appropriate interpretation of the phrases "whenever" and "knows" which appear 
in the condition. The phrase "convinced" has the straightforward and standard 
interpretation of accepting (i.e., entering a specified state in the computation). 

Following [14] the interpretation of the phrases "whenever" and "knows" 
is as follows. Suppose for simplicity that the verifier is always convinced (i.e. 
after interaction with the prover the verifier always enters an accepting state). 
Saying that the prover "knows" a satisfying assignment means that it "can be 
modified" so that it outputs a satisfying assignment. The notion of "possible 
modifications of machine AT" is captured by efficient algorithms that use M 
as an oracle. Hence, saying that the prover "knows" a satisfying assignment 
means that it is feasible to compute a satisfying assignment by using the prover 
as an oracle. Namely, there exists an efficient algorithm, called the knowledge 
extractor, that on input a formula <j> and given oracle access to a good prover 
(i.e. a prover which always convince the verifier on common input <f>) is able to 
output a satisfying assignment to (b. Indeed, this is exactly the interpretation 
given in works as [18, 6]. The problem is to deal with the general case in which 
the prover may convince the verifier with some probability e < 1. Again, for 
constant € there is no problem and it can be required that even in this case the 
knowledge extractor succeeds in outputting a satisfying assignment in expected 
polynomial-time (or alternatively output such an assignment in polynomial time 
with probability exponentially close to 1). This interpretation is valid also if € 
is any non-negligible function of the length of the input (j> (a non-negligible 
function in n is a function which is asymptotically bounded from below by a 
function of the form n _c , for some constant c). But what should be required 
if the prover does not convince the verifier with non-negligible probability? Most 

3 We have replaced the more intuitive but possibly misleading phrase "convinced that 
the prover knows something" by the neutral phrase "convinced". 
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previous formulations (e.g., [18, 61) require nothing, and hence are unsatisfactory 
both from a conceptual point of view and from a practical point of view (i.e., in 
view of many known applications). In particular, this inadequacy often appears 
when "proofs of knowledge" are used as subprotocols inside larger protocols. In 
other words, the inadequate formulations of "proofs of knowledge" drastically 
limit their modular application in the construction of cryptographic protocols. 

1.2 Provers which convince with probability that is not 
non-negligible 

We start with an abstract justification of our claim that requiring nothing, in 
case the prover does not convince the verifier with non-negligible probability, is 
wrong. We first uncover the reason it has been believed that it is justified to 
require nothing. It has been believed that events which occur with probability 
which is not non-negligible can be ignored, just as events which occur with 
negligible probability can be ignored. However, a key observation, which has been 
overlooked by this argument, is that a sequence of probabilities can be neither 
negligible (i.e., smaller that n~ c for all c > 0 and all sufficiently large n's) nor 
non-negligible (i.e., bigger that n~ c for some c > 0 and all sufficiently large n). 
Hence, even if it were justified to require nothing in case the prover convinces 
the verifier with negligible probability, it is unjustified to require nothing in case 
the probability of being convinced is just not non-negligible! 

To demonstrate what is wrong when we require nothing in case the prover 
does not convince the verifier with a non-negligible probability, we consider the 
following possibility. Suppose that there exist a prover and an infinite sequence of 
CNF formulae, : n£lN}, such that the probability that the prover convinces 
the verifier on common input 0 n is n~ k , where n is the length of 4>n and k is 
the number of literals in the longest clause of <p n . Furthermore, suppose that, 
for every k > 0, there exists infinitely many n's such that k is the number 
of literals in the longest clause of <p n . An important observation is that the 
sequence of probabilities (defined by the above prover and formulae) is neither 
negligible (i.e., smaller that n~ c for all c > 0 and all sufficiently large n's) nor 
non-negligible (i.e., bigger that n~ c for some c > 0 and all sufficiently large 
n). Hence, previous definitions of "proof of knowledge" require nothing (or too 
little) with respect to the above prover. To appreciate the severity of the lack of 
requirement with respect to the above prover consider the following application. 
Suppose that each cf> n has a unique satisfying assignment, and that a "proof of 
knowledge of a satisfying assignment" is used as a subprotocol inside a protocol 
in which Alice will send Bob a satisfying assignment to 4> n if she is convinced by 
Bob that he already knows this assignment. We would like to argue that in this 
application Alice yields no knowledge to Bob (i.e., Alice is zero-knowledge). 
Using a reasonable definition of "proof of knowledge" one should be able to 
prove such a statement (and indeed using our definition such a proof can be 
presented). Yet, the zero-knowledge property of Alice can not be demonstrated 
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using previous formulations of "proof of knowledge." 4 

A more concrete and practical setting can help to further clarify our point. 
It has been suggested to use a "proof of knowledge" as a subprotocol inside a 
multi-round encryption scheme secure against chosen ciphertext attack (cf. [8, 
Sec. 5] and [15, Sec. 5.4]). Namely, the decryption module returns a decryption 
of a chosen ciphertext only if "convinced'" that the party asking for it already 
"knows it". (This is a special case of the application considered in the previous 
paragraph). Using previous formalizations of "proof of knowledge" it cannot be 
proved that the above "decryption module" is zero-knowledge (i.e., yields no 
knowledge) under a chosen ciphertext attack. Yet, the above decryption module 
is zero-knowledge and this zero- knowledge property (though not proven!) has 
been used to claim that the particular multi-round encryption scheme is secure 
against chosen message attack. We stress that the above mentioned encryption 
scheme is indeed secure under such attacks, it is just that its security has not 
been proven but rather "hand- waved", and that the essential flaw in the hand- 
waving is the fact that it is based on an inadequate formalization of proofs of 
knowledge. 

The above example is very typical. In many (yet not all) applications of 
"proofs of knowledge" one relies on their meaningfulness with respect to arbi- 
trary behavior of the prover. Yet as pointed out above, previous formalizations of 
"proof of knowledge" are meaningful only in case the prover convince the verifier 
with non-negligible probability. One should not make the mistake of saying that 
events which happen with probability that is not non-negligible can be ignored, 
since such probabilities are not negligible! Put in other words, negligible is not 
the negation of non-negligible! 

To avoid confusion we stress that the definitions of [6] do suffice for the 
applications in their paper. Problems (as illustrated above) have arisen when 
these same definitions have (later) been used in other applications. 

1.3 A few words about the definition presented in this paper 

The most important aspect in which our definition (as well as the one of [7]) 
deviates from the previous ones is that there is no sharp distinction between 
provers based on whether they convince the verifier with non-negligible proba- 
bility or not. In our case, the requirement is that the knowledge extractor always 
succeeds and that the average number of steps it performs is inversely propor- 
tional (via a polynomial factor) to the probability that the prover convinces the 
verifier. 

Over and above this change, we have taken the opportunity to correct what 
we feel are other conceptual drawbacks of previous definitions (including [7]). 

4 Typically, the simulator for the zero-knowledge property uses the knowledge extrac- 
tor (for the proof of knowledge) as a subroutine. However, previous formulations 
of "proof of knowledge" do not guarantee a knowledge extractor which handles the 
entire sequence of formulae. On the other hand, one cannot ignore the case in which 
something is sent by Alice since this case is not negligible. 
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Although these other changes are to some extent a matter of taste they are 
nonetheless important, and also enable us to obtain definitions that are more 
general than previous ones. As examples, a few such issues are discussed below; 
we refer the reader to §4 for more details as well as for a discussion of the many 
other points of difference. 

All previous definitions refer only to provers which can be implemented by 
probabilistic, polynomial time programs (with auxiliary input). In some, works it 
is even claimed that it makes no sense to talk of the knowledge of computationally 
unrestricted machines. We strongly disagree with such claims, and point out 
that previous definitions have considered only computationally restricted provers 
because of technical reasons. From a conceptual point of view it is desirable to 
have a "uniform" definition of proofs of knowledge which refers to all provers 
independently of their complexity, the probability they lead the verifier to accept, 
and so on. In fact, our definition has this property. A consequence of this property 
is that our definition enables one to talk of the "knowledge" of super-polynomial- 
time machines. For example, we are able to say in what sense the interactive 
proofs introduced by Shamir [17], in order to demonstrate that IP=PSPACE, 
constitute "proofs of knowledge." 

Most proofs of knowledge (e.g., the proof of knowledge of an isomorphism 
used by [12] - see Appendix E) are constructed by iterating some "atomic" pro- 
tocol. Typically, these atomic protocols have the property that one can easily 
lead the verifier to accept with some constant probability (say, 1/2) even when 
having no "knowledge" whatsoever. Yet, these atomic protocols do prove some 
"knowledge" of the prover, in case it is able to convince the verifier with higher 
probability. However, previous definitions of "proof of knowledge" were unable 
to capture this phenomenon; they were only able to say what it means for suffi- 
ciently (i.e. super-logarithmic) many iterations of these "atomic" protocols to be 
"proofs of knowledge." This belies the basic intuition and also precludes a mod- 
ular approach to protocol design. We correct these weaknesses by showing how 
to measure the "knowledge error" of a proof, and then showing how composition 
reduces it. 

A special case of our definition is when the knowledge error is zero. This 
special case is important is some applications. In particular, "proofs of knowl- 
edge with zero error" are important when using a proof of knowledge inside a 
zero-knowledge protocol so that one party sends some information only if he is 
convinced that the other party already knows it. A typical example is the zero- 
knowledge protocol for graph non-isomorphism of [12] (cf. §7.1). We stress that 
none of the previous definitions could handle "proofs of knowledge with zero 
error." 

1.4 Organization 

The main conventions used throughout the paper appear in §2. The new def- 
inition (of a proof of knowledge) appears in §3, and §4 contains a discussion 
of various aspects of this definition. This main part of the paper is augmented 
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by Appendix A, in which previous definitions (of proofs of knowledge) are re- 
viewed, and by §7 in which examples of the applications of the new definition 
are presented. 

The rest of the paper addresses issues which are related to the definition of a 
proof of knowledge: §5 addresses the effect of repeating a proof of knowledge, and 
§6 presents an equivalent formulation of our definition of a proof of knowledge. 

2 Preliminaries 

Let R C {0, 1}* x {0, 1}* be a binary relation. We say that R is polynomially 
bounded if there exists a polynomial p such that |y| < p(|x|) for all (x, y) £ R. 
We say that R is an NP relation if it is polynomially bounded and, in addition, 
there exists a polynomial-time algorithm for deciding membership in R. 
If R is a binary relation we let R{x) = {y : (x,y) £ R} and 

Lr — {x : 3y such that (x,y) £ R } . 

If (x, y) £ R then we call y a witness for x. 

The proof systems we define are two-party protocols. We model the players in 
these protocols not (as is common) as interactive machines, but rather as what 
we will call "interactive functions." The idea is to separate the computational 
aspect of the player from its input/output behaviour. We feel that this eases and 
clarifies the presentation of the (later) definitions. 

Definition 1. An interactive function A associates to each x £ {0, 1}" (common 
input) and 77 £ {0, 1}* (prefix of a conversation) a probability distribution on 
{0,1}* which we denote by A x \rj\. We denote by A x [rj) an element chosen at 
random from this distribution. 

Intuitively, A x (rj) is A's next message when the prefix of the conversation so far 
was rj and the common input is x. 

The two players in the protocols we will consider are called the prover and 
the verifier. Both are modeled as interactive functions. The interaction between 
prover P and verifier V on a common input x consists of a sequence of "moves" 
in each of which one player sends a message to the other. The players alternate 
moves, and for simplicity we will assume the prover moves first and the verifier 
last. We denote by aj (resp. $) the random variable which is the message sent by 
the prover (resp. verifier) in his z-th move. We assume any prefix of a conversation 
can be uniquely parsed into its constituent messages. Then each message is 
specified by the prescribed interactive function as a function of the common 
input and previous messages. More precisely, 

a i = P E (o!i/3 1 ...a i _ 1 /? f _ 1 ) (i= 1,2,...) 
A =y i (a 1 /3 1 ...Q l _ 1 /3,_ 1 a t ) (1 = 1,2,...) . 

These random variables are defined over the probabilistic choices of both inter- 
active functions. 
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We will adopt the convention that there are special symbols which an inter- 
active function may output to indicate things like acceptance or rejection. We 
assume there exists a function iy(-) (the number of "rounds") such that the 
tv(x)-th move of the verifier contains its verdict on acceptance or rejection. (For 
simplicity we restrict the number of rounds to be a function of the verifier and 
the common input, and do not allow it to depend on the prover. Yet this is with- 
out loss of generality). The transcript of the interaction, denoted trp_y (x), is the 
string valued random variable which records the conversation up to the verifier's 
verdict. That is, tvpy(x) = ctipi . . .a tv ( x - ) f3 tv ^ x y Note that the transcript of the 
interaction between a prover P and verifier V contains the sequence of message 
exchanged during the interaction, but not information which is available only to 
one party, such as its "auxiliary input" or its "internal coin tosses," unless these 
were sent to the other party. 

Since we have assumed that the transcript contains the verifier's verdict 
on whether to accept or reject, we may, for each x, talk of the set of ac- 
cepting transcripts, denoted ACCy(x), and the set of rejecting transcripts, de- 
noted REJy(a;). Thus the "probability that the verifier accepts" is, by definition, 
Pv[tip^ v (x)e ACCy(x)]. 

We stress that the definition of an interactive function makes no reference to 
its computational aspects. We may discuss the computational complexity of an 
interactive function in a natural way, namely by the complexity of a (probabilis- 
tic) Turing machine that computes it. In particular, we say that an interactive 
function A is computable in probabilistic polynomial time if there exists a prob- 
abilistic Turing machine which on input x, rj outputs an element distributed 
uniformly in A^J??], and runs in time polynomial in the length of x. 

For simplicity we will restrict the verifier's program to be computable in 
probabilistic, polynomial time. (We stress that we do not restrict the computa- 
tional power of the party playing the role of the verifier.) We will also restrict 
the number of rounds (associated to this verifier program) to be a polynomially 
bounded, polynomial time computable function. 

Sometimes we wish to discuss probabilistic, polynomial time players who 
receive an additional "auxiliary" input (such an input may be, for example, a 
witness for the membership of the common input in some predetermined NP 
language). We may capture such situations by thinking of the auxiliary input 
as being incorporated in the interactive function (i.e. the party's interaction on 
common input x and auxilary y is captured by an oracle indexed by both x and 

We will be interested in probabilistic machines which use interactive functions 
as oracles. 

Definition 2. Let K(-) be a probabilistic oracle machine, and A an interactive 
function. Then K A *(x) is a random variable describing the output of K with 
oracle A x and input x, the probability being over the random choices of K and 
A. 

The meaning of having A x as an oracle is that K may specify a string rj and, 
in one (special) step, obtain a random element from As [77]. We count the steps 
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needed to specify rj (and read the output), but the oracle invocation is just one 
step. It is understood that an invocation of the oracle on a string rj returns a 
random element of A x [rj] , independently of any previous invocations of the oracle 
on other inputs. 5 

We call a function /: IN i— ► IR negligible if for ail c > 0 and all sufficiently 
large n we have f(n) < n~ c . We call a function /: EST i — > IR non-negligible if 
there exists c > 0 so that for all sufficiently large n we have f(n) > n~ c . We 
call /: {0. 1}*h- »IR negligible if the function n i-* max^^o,!}™ f(x) is negligible, 
and non-negligible if the function n h-> min^o jjn f(x) is non-negligible. As 
stressed above, non-negligible is not the negation of negligible but rather a very 
strong negation of it (and there exist functions which are neither negligible nor 
non-negligible). 

3 A Definition of a Proof of Knowledge 

Let R C {0. 1}* x {0, 1}* be a binary relation. Our aim is to define a "sys- 
tem of proofs of knowledge for R." For simplicity, we restrict our attention to 
polynomially bounded relations (and, unless otherwise stated, all relations in 
this paper are assumed to be such). Note that the most natural and important 
class of proofs of knowledge, namely those of "knowledge of a witness for an NP 
statement," correspond to the special case of NP relations. 

The heart of the proof system is the verifier, which remains fixed for our 
entire discussion. This fixed verifier may interact with arbitrary provers, and 
we will relate the behavior of the verifier in these interactions with assertions 
concerning knowledge of the corresponding provers. 

For the purpose of defining proofs of knowledge there is no need to restrict 
the verifier computationally, although in most applications one asks that it be 
probabilistic, polynomial time. 

We make no assumptions concerning the possible provers (in contrast to 
previous formalizations). We don't even assume that they send messages that 
can be computed (say nothing about efficiently computed) from the information 
they receive (i.e., their initial input and in-coming messages). That is, provers 
are arbitrary interactive functions. 

We wish to define the "knowledge of P about x which may be deduced from 
the interaction of P with V (on input x)" . Clearly, this knowledge contains the 
transcript of the interaction. Yet, in case the interaction is accepting and this 
event is not incidental, one can say more on the knowledge of P. Namely, the 
ability of P to "often" lead the verifier to accept may say something about 
the knowledge of P. The crucial observation, originating in [14], is that the 
"knowledge of P about x (deduced by interaction)" can be captured by whatever 
can be efficiently computed on input x and access to the oracle P x . 

5 A stricter alternative is obtained by fixing the prover's sequence of coin tosses and 
treating it as auxiliary input to the prover. Note that all known "proofs of knowledge" 
satisfy also this more strict requirement. The fact that the strict requirement implies 
the main one can be shown by techniques similar to those used in Appendix C. 
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The phrase "efficiently computed on input x and access to an oracle P x " is 
made precise in the definition of a "knowledge extractor." The straightforward 
approach is to require that the knowledge extractor is a probabilistic polynomial- 
time oracle machine. Indeed this is the approach taken in some previous works 
(if one translates their ideas to this slightly different setting). We will replace 
the strict requirement that the knowledge extractor works in polynomial-time 
by a more adaptive requirement which relates the running time of the knowledge 
extractor to the probability that the verifier is convinced. The advantages of this 
approach have already been discussed and will be further discussed below. 

Let p(x) be the probability that prover P convinces verifier V to accept on 
input x. In its simplest form, the requirement we impose is that the extractor 
succeed in outputting a witness in (expected) time proportional to l/p(x). In 
actuality, we will introduce a "knowledge error function" k(-) and ask that the 
extractor succeed in outputting a witness in (expected) time proportional to 
l/(p(x) — /c(x)). Intuitively, k{x) is the probability that the verifier might accept 
even if the prover did not in fact "know" a witness. We note that in applications 
k(x) is small, and often it is zero (cf. §4.4 and §5). The precise definition follows. 

Definition 3. (System of proofs of knowledge) Let R be a binary relation, and 
k: {0, 1}* — > [0, 1]. Let V be an interactive function which is computable in 
probabilistic, polynomial time. We say that a V is a knowledge verifier for the 
relation J? with knowledge error k if the following two conditions hold. 

- Non-triviality: There exists an interactive function P* so that for all x € Lr, 
all possible interactions of V with P* on common input x are accepting (i.e. 
Pr[trp.,v(a;)€ACCv(a;)] = 1). 

— Validity (with error k): There exists a constant c > 0 and a probabilistic oracle 
machine K such that for every interactive function P and every i 6 In, 
machine K satisfies the following condition: 

def 

if p(x) = Pr[trp i v(a;) £ ACCv(x)] > k(x) then, on input x and access 
to oracle P x , machine K outputs a string from the set R(x) within 
an expected number of steps bounded by 



The oracle machine K is called a universal knowledge extractor, and k is called 
the knowledge error function. 

The next section is devoted to remarks on various features of this definition. 

4 Remarks 




c 



We discuss various features of our definition, with particular regard to how it 
differs from previous definitions. 
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4.1 Provers which convince with non- negligible probability 

Suppose the knowledge error is negligible. Clearly, if the verifier accepts with non- 
negligible probability then the knowledge extractor runs in average polynomial 
in |aj| time. This conclusion yields essentially what [6, 18] have considered as 
sufficient. Yet, as we have argued, this conclusion by itself does not suffice. 

4.2 The efficiency of the provers and verifier 

For the purpose of defining proofs of knowledge, there is no need to restrict 
the prover to polynomial-time. This is a point on which we disagree with pre- 
vious works which claimed that it makes no sense to talk of the knowledge of 
unrestricted machines. Our definition is presented without assuming anything 
about the power of the prover, and it is a corollary that machines with no time 
bounds may know facts which cannot be deduced in (say) double exponential 
time (and so on). In particular, as we will see (cf. §7.2), it is meaningful, under 
our definition, to say that the prover in Shamir's interactive proof system for a 
PSPACE-complete language "knows" an accepting computation of a polynomial- 
space machine. One the other hand, provers which succeed in convincing a verifier 
of their knowledge can be reasonably efficient. For example, they may be imple- 
mented by polynomial-time programs. Furthermore, all "reasonable" interactive 
proofs for languages in NP (and in particular the zero-knowledge ones [12]) can 
be convinced by probabilistic polynomial-time provers which get an NP-witness 
as auxiliary input. (However, membership in an NP language can be proven via 
Shamir's result that IP = PSPACE. The corresponding prover is unlikely to be 
implementable in polynomial-time). 

Note that we do not ask that the verifier be a probabilistic polynomial time in- 
teractive Turing machine, but just that it be an interactive function computable 
by one. This distinction is conceptually useful when we consider applications 
such as the graph non-isomorphism protocol [12] in which the verifier (of the 
proof of knowledge) is the prover of the graph non-isomorphism protocol, and 
thus not a probabilistic polynomial time interactive Turing machine. However, 
the part of this prover's program which implements the verifier (of the proof of 
knowledge) is indeed computable in probabilistic polynomial time. 

4.3 The knowledge extractor 

What should not be given to the knowledge extractor. We deviate from some 
previous works in that we define the knowledge of the prover only with respect 
to what is publicly available (i.e., the common input x, access to an oracle for 
the prover, and possibly the transcript). Some other works define the knowledge 
of the prover with respect to the auxiliary information available to the prover as 
well as its sequence of coin tosses (which may 6 not be known to the verifier). To 
justify our choice we remind the reader that the definition of "proof of knowl- 
edge" is supposed to capture the knowledge of the prover demonstrated by the 

Using the term "may" is indeed an understatement! 
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interaction and not merely the knowledge of the prover. Hence, there seems to be 
little motivation and/or justification to talk about the knowledge of a machine 
with respect to something which is not known to the outside (i.e., verifier). In 
particular, only the common input (of the interaction) should be given as input 
to the knowledge extractor, and the auxiliary input or local coins of the prover 
should certainly not be given. 

One thing that the knowledge extractor can do. In all examples we are aware 
of, the knowledge extractor proceeds by trying to find several (not more than 
polynomially many) related accepting transcripts. For example, the knowledge 
extractor presented in Appendix E tries to find a single accepting transcript in 
addition to the one given as input. Clearly such a knowledge extractor succeeds 
within an average number of steps which is inversely proportional to the density 
of the accepting transcripts (which is in other words the accepting probability). 
Note that if the proof of knowledge is zero-knowledge then a single accepting 
transcript (and in particular the one given as input) cannot suffice. 

Universality of the knowledge extractor. In the above definition we require the 
existence of a universal knowledge extractor which works for all possible in- 
teractive functions P. Switching the quantifiers (i.e., requiring that for every 
interactive function P there exist a knowledge extractor Kp) would make lit- 
tle sense in practice since P in our conventions may depend on (non-uniform) 
auxiliary input of the "real" prover (cf. §2). However, the quantifiers may be 
switched if one considers only provers which are (uniform) interactive machines. 
For further discussion see the parenthetical subsection in [10. Sec. 4.1], which 
considers an analogous situation in the context of zero-knowledge. We stress 
that also in case the quantifiers are switched, the knowledge extractor (although 
it may depend on the prover) must be given oracle access to the prover. The 
reason being that the prover's program may be highly inefficient (and therefore 
cannot be "incorporated" into the extractor). 

4.4 The knowledge error function 

The knowledge error function is a novelty of our definition. 7 Let us see why it is 
important. 

Typically, "proofs of knowledge" are constructed by repeating an "atomic" 
protocol sufficiently many times. An atomic protocol for graph isomorphism, for 
example, is the following (cf. [12]). 

Example. The input is a pair of (isomorphic) graphs Gi and Gi. The prover 
generates a single random isomorphic copy of G\ which we call H , and sends H 
to the verifier. The latter responds with a random query i £ {1,2}. The prover 
replies to i by presenting an isomorphism between Gi and H . The verifier accepts 

7 Although the ideas in [5] may be interpreted as pointing to a similar notion. 
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if the permutation supplied by the prover is indeed an isomorphism between G % 
and H. 

Intuitively, this protocol does demonstrate some "knowledge" of an isomorphism 
between G x and Gi. Yet, previous definitions were unable to capture this fact; 
they were only able to show that sufficiently (i.e. super-logarithmic) many it- 
erations of this protocol constituted a "proof of knowledge." This non-modular 
approach belies the basic intuition and is also not the natural approach to pro- 
tocol design. 

The introduction of the knowledge error function remedies these defects. In 
particular, we are able to capture "atomic" proofs of knowledge of the above type. 
Indeed, under our definition, the above is a proof of knowledge with knowledge 
error 1/2. Furthermore, we are able to prove composition theorems which show 
how to reduce the knowledge error (cf. §5) and thus construct proofs of knowledge 
in a modular fashion. 

Another motivation of the knowledge error function comes from cases where, 
for convenience, we have the verifier accept with some (usually small) probability 
even if the evidence supplied by the prover is not convincing. For example, we 
may do this to guarantee perfect completeness (i.e., the prover's ability to alway 
convince the verifier of valid statements). In such cases, the knowledge error 
can compensate for this small probability. The importance of this aspect of the 
knowledge error function, and the perfect completeness example, were pointed 
out to us by Feige (private communication, June 1992). 

4.5 What about soundness? 

We note that our definition makes no requirement for the case x £ Lr. In 
particular, soundness (i.e., a bound on the prover's ability to lead the verifier 
to accept x 0 Lr) is not required. Consequently, a knowledge verifier for R 
does not necessarily define an interactive proof of membership in Lr. This is 
in contrast to previous definitions; they had the "validity" condition imply the 
soundness condition, so that the latter always held. We feel that our "decoupling" 
of soundness from validity is justified both conceptually and in the light of certain 
applications. Let us see why. 

First, conceptually, it seems more natural to talk about extracting witnesses 
only when these witnesses exist. Furthermore, as long as one property is not 
known to imply the other it seems wrong to require the latter unless one really 
needs it. 

Second, there are some natural applications (e.g., "zero-knowledge based" 
identification schemes) in which it is a-priori agreed that the protocol will be 
applied only to strings in some NP language (i.e., i£Lj}€ NP). Such applica- 
tions are better modeled by our definition than by previous ones. To be concrete, 
consider the following identification scheme based on the hardness of quadratic 
residuosity. 

Example. A user A (Alice), who wishes to be able to securely remote-login to a 
mainframe computer (which we denote by V because it plays the role of verifier) 
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chooses at random a pair of large primes and multiplies them to get a modulus 
N A . She also chooses Ya G Z* Na at random, sets Xa = Yj mod N A> and gives 
the pair (Na,X a ) to V. All this is performed once in a life-time, when Alice 
is identified by other means. Later, whenever Alice wishes to remote-login, she 
sends her name (A) to V t who responds by sending the pair (Na,Xa)- She now 
provides a (zero-knowledge) proof that she "knows" a square root of X A mod 
Na- Besides the fact that A can provide the proof (completeness) we require 
that if Bob (B A) were to attempt to remote-login as A then he (B) would 
fail. The point to note in (the formalization of) the latter requirement is that 
the interaction of B with V takes place on an input (namely (Na,Xa)) which 
is in the underlying language Lr (the relation R here is { ((N,X),Y) : Y 2 — X 
(mod N) } and the underlying language is Lr = { (JV, X) : X is a square mod 
N }). So it suffices to require that the interaction of B with V on inputs in this 
language "proves possession of a witness." What happens on interactions on input 
not in the language is immaterial to the security of the identification scheme. 
Thus the requirements for a secure (zero-knowledge based) identification scheme 
are more faithfully modeled by out Definition 3 than by previous definitions 
(which required that any proof of knowledge of a relation R be an interactive 
proof of membership in Lr). 

We stress that we are not, of course, saying that soundness is always redundant. 
Rather, the above discussion justifies our choice not to make soundness a part 
of the definition of a proof of knowledge. In cases where soundness is necessary, 
it can be viewed as a separate, additional property that the knowledge verifier 
must satisfy. Furthermore, it is possible that some applications call for other 
kinds of conditions on x ^ Lr. One possibility, which we call strong validity, is 
discussed in Appendix B. 

4.6 Relaxing the non-triviality requirement 

The prover guaranteed by the non-triviality requirement must convince the ver- 
ifier in all interactions o{x^Lr. This requirement, met in all known protocols, 
is not essential to the definition of a proof of knowledge. In general one may re- 
quire that the existence of a prover that convinces the verifier, on input x, with 
probability C(x). As far as polynomial-time (or even more powerful) verifiers 
are concerned any choice of a polynomial-time constructive bound, C(-), which 
is both non-negligibly greater than «(■) and bounded above by 1 — 2~ poly ('', is 
equivalent. 8 In fact, following the ideas in [9], one can eliminate the error prob- 
ability in the completeness condition altogether and derive the definition as in 
the previous section. However, although the last transformation does preserve 

8 When saying that these choices are equivalent, as long as the above requirements are 
satisfied, we mean that existence of a verifier which satisfies one permissible bound 
yields the existence of another verifier which satisfies the second bound. Furthermore, 
the complexity both of the verifier and of the prover (meeting the completeness 
condition) is preserved (and so are zero-knowledge properties). 
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validity, it does not necessarily preserve the complexity of the prover and its 
zero-knowledge property. 9 

4.7 A word about computationally convincing proofs of knowledge 

Some works (cf. [4, 5]) consider the situation in which the class of provers for 
which the protocol is supposed to be a "proof of knowledge" is restricted to the 
class of probabilistic, polynomial time interactive Turing machines with auxiliary 
input. 10 Typically, the protocols in question rely on the use of problems which 
are intractable for the prover(s). This is the case of computationally convincing 
(zero-knowledge) proofs, also known as arguments (cf. [3]). 

Our definitions may be adapted to cover such settings as well. We would 
restrict the class of provers for which validity is required to hold to the class 
of interactive functions computable in probabilistic, polynomial time by inter- 
active machines. We would, however, also relax slightly the validity requirement 
by asking that it only be true for sufficiently long inputs. More precisely, we 
would require that for each probabilistic, polynomial time computable interac- 
tive function P (prover) there exist a constant np such that for each x G Lr of 
length at least rip, machine K satisfies the following condition: 

if p(x) 1= Pr[trpy (x) S ACCv (x)} > k(x) then, on input x and access 
to oracle P x , machine K outputs a string from the set R(x) within an 
expected number of steps bounded by \x\ c /(p(x) — k(x)). 

In applications, k{x) could be set to l/poly(a;) for some specific poly(-). Alter- 
natively, following [7], one can use k(-) as a shorthand for "smaller than any 
function of the form l/poly(-)". However, a much better alternative is to set k(-) 

to be a specific negligible function (e.g., k(x) = 2~ \/N) related to a specific 
intractability assumption concerning the computational problem on which the 
scheme is based (e.g., DLP is intractable with respect to algorithms which run 
in time 2^™ on inputs of length n). 

Some ideas on the subject of "computationally convincing proofs of knowl- 
edge" appear in the work of Brassard, Crepeau, Laplante and Leger [5]. Although 
they do not present definitions, it would appear these ideas bear many similari- 
ties to ours. We discuss their work in Appendix A. 

The fact that some variations are needed to treat the case of "computationally 
convincing proofs of knowledge" has been pointed out to us by Feige (private 
communication, June 1992). 

9 In this context we note, however, that the zero-knowledge too may be preserved, 
as long as one is willing to make a complexity assumption, by further applying the 
transformation of [2]. 

10 For simplicity we ignore the auxiliary inputs in this discussion. They can be treated 
as outlined in §2. 
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5 Reducing the knowledge error via repetitions 

One of the reasons to introduce the knowledge error function is the theorems 
established here. We show that the knowledge error may be reduced by compo- 
sition. 

First we consider sequential composition. Here m = m(x) independent copies 
of the original protocol are executed on input x, and the verifier accepts iff all 
copies are accepting (we stress that by "independent" we mean that the verifier 
acts in each of the copies independently of the others; of course we don't assume 
this about prospective provers). If k was the knowledge error of the original 
protocol then the knowledge error the resulting protocol is essentially K. m . The 
more precise statement follows. 

Notational convention: by poly(-) we mean any sufficiently large polynomial in 
the length of the input (string). 

Required assumption: y G R(x) can be found (if such exists) in exponential-time 
(i.e., time 2P° ly (^l)). Finally, we assume of course that m(x) < poly(|a:|). 

Theorem 4. Suppose that V is a knowledge verifier for the relation R with 
error «(■). Let V m denote the program that, on input x, sequentially executes the 
■program V, on input x, for m{x) times. Then V m is a knowledge verifier for the 

relation R with error K m {-) d = (1 + l/poly(-)) • /c(-) m ('> . 
The proof is in Appendix C.l. 

With respect to error reduction via parallel repetitions we were only able to prove 
a statement concerning a special class of knowledge verifiers (which nonetheless 
contains all known verifiers). For further discussion see Appendix C.2. 

Finally, we observe that tiny knowledge error can be eliminated. 

Propositions. Suppose that an element in R(x), if such exists, can be found 
in time at most t(x), given only x as input. Suppose V is a knowledge verifier 
for R with knowledge error smaller than jjj-pj ■ Then, V is a knowledge verifier 
for R with knowledge error 0. 

We omit the proof which uses methods similar to those used in Appendix B. 

The resulting formulation (namely, knowledge error 0) is often the simplest way 
of thinking about proofs of knowledge: we are saying that the knowledge extrac- 
tor succeeds in time \x\ c /p(x), where p(x) is as in Definition 3. Many proofs of 
knowledge (e.g., the one presented in Appendix E) are of this type. 

6 An equivalent formulation of validity 

Following is an equivalent formulation of the validity condition. The new formu- 
lation is inspired by (yet is quite different in many respects from) the definition 
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in [7]. Let p(x) be as in Definition 3. Instead of asking that the knowledge verifier 
always output y £ R(x), we ask only that it output y £ R{x) with a probability 
bounded below by p(x) — k(x), and otherwise output a special symbol, denoted 
_L, indicating "failure to find y £ R(x)" . However, whereas originally the ex- 
tractor had expected time proportional to l/(p(x) — k(x)), we now give it only 
expected polynomial time. More precisely, letting k: {0, 1}* t— » [0, 1], we have 
the following. 

- New validity (with error k): We say that the verifier V satisfies new validity 
with error k if there exists a probabilistic expected polynomial-time oracle 
machine K such that for every interactive function P and every x £ Lr it 
is the case that K Px (x) £ R{x) U {_L} and 

Ft[K p *(x) £ R(x)] > Pr[trp iV (z)£AC(V(x)] - k(x) . 

Proposition 6. The new validity condition is equivalent to the one given in 
Definition 3. 

Here we give the proof for the case k(x) = 0. The proof for the general case is 
more complex and is in Appendix D. 

Suppose, first, that K is a knowledge extractor satisfying the new defini- 
tion. We construct a knowledge extractor K' that, on input x repeatedly in- 
vokes K (on x) until K(x) ^ J_. Clearly, K' always outputs a string in R(x), 
halting in expected time poly(a:)/Pr[ K(x) £ R{x)}, which is bounded above by 
poly(x)/Pr[trp i v(i) £ ACCy(a;)]. Hence. K' satisfies the condition in Definition 3. 
Suppose, now, that if is a knowledge extractor satisfying Definition 3. We con- 
struct a knowledge extractor K' that, on input x first generates a random tran- 
script (i.e., tip t v{x)) and activates K{x) if this transcript is accepting (i.e., in 
ACCy(a:)). Otherwise, K' halts immediately outputting J_. One can easily verify 
that K 1 runs in expected polynomial-time and outputs y £ R{x) with probability 
exactly Prftr^y (z) 6 ACCy(x)]. 

7 Applications 

Our formalization, as well as that of [7], do suffice to prove the security of those 
schemes for encryption secure against chosen-cyphertext attack which rely on 
zero-knowledge proofs of knowledge (cf. §1.2). However, we prefer to describe 
here two applications to which our definition of "proof of knowledge" can be 
applied, whereas all the previous formalizations fail. The first application is a 
modular description of the zero-knowledge proof for Graph Non-Isomorphism 
(of [12]) which uses a "proof of knowledge of an isomorphism" as a subprotocol. 
The second application is to Shamir's interactive proof for PSPACE. 

7.1 Zero-Knowledge proof of Graph Non-Isomorphism 

The second author first realized the inadequacy of previous formulations of 
"proofs of knowledge" when Leonid Levin insisted that the zero-knowledge in- 
teractive proof for Graph Non-Isomorphism (of [12]) should be presented in 
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a modular manner. 11 As many people noticed, the intuition behind this zero- 
knowledge proof is that the verifier first proves to the prover that it "knows" 
an isomorphism between one of the input graphs and the query graph that it 
presents to the prover. 12 If the prover is convinced then it answers the query by 
indicating to which of the two input graphs the query graph is isomorphic. By 
doing so the prover yields no knowledge to the verifier, since the verifier "knows" 
to which of the two input graphs the query is isomorphic, yet the prover's answer 
supplies statistical evidence that the two input graphs are not isomorphic. This 
intuitive idea, taken from the Quadratic Non-Residousity zero-knowledge proof 
of [14], has indeed guided the development of the zero-knowledge proof system 
for GNI, but plays no part in the formal description and proof of correctness 
appearing in [12] (and [14]). Levin complained, rightfully, against this inelegant 
and non-modular approach. The second author's answer, at the time, was that 
an elegant proof which uses the subprotocol and its properties in a modular 
fashion is not possible due to lack of appropriate definitions. 13 

One definition that was lacking at the time was that of the information hiding 
property of the subprotocol used to prove "possession of knowledge" . Specifically, 
that subprotocol, which consists of the parallel version of the zero-knowledge 
proof of Graph Isomorphism, is not known to be zero-knowledge (and in light 
of [11] it is unlikely that a proof that it is zero- knowledge can ever be given). 
Nevertheless, this subprotocol is "witness indistinguishable" (in the sense defined 
latter by Feige and Shamir [7]) and this property suffices to the soundness of the 
interactive proof of GNI. However this entire issue is irrelevant to the current 
paper. 

The other definition that was lacking at that time was an adequate defini- 
tion of a proof of knowledge. An adequate definition of a "proof of knowledge" 
is needed to ensure that if the GNI-prover is convinced that the GNI-verifier 
"knows" an isomorphism between the query graph and one of the input graphs 
then indicating to which input graph the query graph is isomorphic yields no 
knowledge to the GNI-verifier. 14 To this end, the simulator (constructed to meet 
the zero-knowledge clause) uses the knowledge extractor guaranteed by the def- 
inition of a "proof of knowledge". However, as pointed out above, previous def- 
initions of "proof of knowledge" are useless in the case the GNI-prover is not 
convinced with non-negligible probability. It follows that the simulator will fail 
to construct the interactions in these cases which may occur with probability 
that is neither non-negligible nor negligible (see §1.2). In particular, consider 
the situation where for every c > 0 there exists an infinite sequence of inputs to 
the protocol such that on input of length n the GNI-prover is convinced with 

11 For sake of self-containment, this protocol is presented in Appendix E 

12 The prover in the zero- knowledge proof for GNI is the verifier in a "proof of knowledge 
of an isomorphism between two graphs" ; whereas the verifier in the zero-knowledge 
proof for GNI is the party claiming and proving knowledge of an NP-witness for GI. 

13 It should be stressed that a proof of correctness of (the zero-knowledge property of) 
the protocol of does appear in [12]. The criticism points to the fact that the proof of 
correctness in [12] does not reflect the intuition just outlined. 

14 The reader may find it useful at this point to consult Appendix E. 
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probability n c . 

On the other hand, one can show that the subprotocol "for proof of knowledge 
of isomorphism" (presented in [12] and Appendix E) constitutes a (sound) proof 
of knowledge, according to the definitions presented in §3. It follows that the run- 
ning time of the knowledge extractor is inversely proportional to the probability 
that the GNI-prover is convinced. Hence, the simulator for the GNI-protocol will 
run in expected polynomial-time and produce a perfect simulation of the inter- 
action. Furthermore, it can be easily shown that the GNI-prover while playing 
the role of the Gl-verifier in the proof of knowledge yields no knowledge to the 
GNI-verifier (since its messages are generated in probabilistic polynomial-time 
from its inputs). 

7.2 What does the prover of a PSPACE language know? 

Using our definition, it is possible to say that the verifier in Shamir's interactive 
proof for a PSPACE-compIete language L is a knowledge verifier for the relation 
Ri consisting of pairs (x,c) where c is the middle configuration in the com- 
putation of a fixed machine accepting x £ L. Hence, one can say that (in some 
meaningful sense) any prover which convinces this verifier (with, say, probability 
1) on input x, does know an accepting computation on input x. 

Let us show how a knowledge extractor may find the middle configuration. 
For the rest of this subsection, we assume that the reader is very familiar with 
the interactive proof for QBF as presented in [17, Section 5]. The standard re- 
duction of a PSPACE language to QBF associates the middle configuration in 
an accepting poly-space computation with the first block of t existential quan- 
tifiers in the formula. So in the rest of this subsection we will consider only the 
problem of retrieving a sequence of truth-values so that assigning these values 
to the above mentioned variables yields value true for the resulting formula. 

First, we consider a straightforward method for retrieving these t boolean 
values. This method does work in case the prover convinces the verifier with 
probability 1 (but will have to be modified to deal with arbitrary provers). 
First the knowledge extractor asks the oracle for the first message of the prover 
which is a pair (N, vq), where N is a large prime and Vo is a non-zero residue 
mod JV (the value of the arithmetic expression mod N). Next, the knowledge 
extractor proceeds in t rounds. In the i th round, the extractor feeds the oracle 
the sequence rj_! 6 Z$j and gets the polynomial, p it which corresponds 

to the opening of the t th variable, when the previous i — 1 variables are set to 
T\ , ...,rj_i, respectively. The extractor then finds a ^ £ {0, 1} so that pi{jjLi) is 
not equal to zero modulo JV (such \±i must exist since X^e{o 1} P» (/•*) — ^ 
(mod JV)). Round i is completed by setting r t — ^ and Uj = pi(rj). 

In general the above method may fail as it relies too heavily on the answers of 
the prover on boolean r^s. An alternative approach is to select the r l 's uniformly 
in Zjf. The problem is that the resulting residual arithmetic expression no longer 
reflects the truth value of the residual boolean formula. To solve the problem we 
need to find the polynomial resulting by setting the r^'s to m's by examining 
the polynomials which result by random settings of the r, 's. To see how this can 
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be done, we need to take a closer look at the formula used by Shamir and its 
arithmetization. It can be seen that the polynomial pi received from the prover 
in round i has coefficients which are polynomials in r x through r^i. Denote by 
Ci t j(ri, the polynomial in r\ through r s _i representing the j th coefficient 
of pi. The Cj^'s are polynomials each of total degree atmost2(i — 1) < 2t — 1, and 
we are interested in the values of c ttJ (ai, Using the ideas of [1] these 
values can be found via "interpolation" at 2t uniformly selected (yet dependent) 
points. Finally, we note that the knowledge extractor can tell whether it is given 
the correct polynomial at a point by carrying on the rest of the interactive proof 
using the oracle to the function P x . Further details are omitted. 
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A Previous Definitions of Proofs of Knowledge 

For sake of self-containment we review below the definitions of "proof of knowl- 
edge" appearing in the literature. In general there are two generally cited for- 
mulations appearing in [6] and in [18]. In addition, there is the better (but lesser 
known) formulation of Feige and Shamir [7]. Finally, there is work on "compu- 
tationally convincing proofs of knowledge" [4, 5]. 

"Proof of Knowledge" according to Feige, Fiat and Shamir [6] The 

definition presented in [6] refers only to parties which work in probabilistic 
polynomial-time, yet may have auxiliary input (which is not necessarily gen- 
erated efficiently). The knowledge extractor is given the prover's program and 
auxiliary input and may run the prover's program as a subroutine (yet being 
charged for the time). 15 The knowledge extractor is required to produce good 
output only for provers and inputs for which the prover has a non-negligible 
probability of convincing the verifier on that input. Specifically, it is required 
that 

16 The extractor may try to analyze the prover's program by other means but Feige, 
Fiat and Shamir claim that this does not make sense. In any case the knowledge 
extractors that they present only use the prover's program as a "black-box". 
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for every constant a > 0 there exists a probabilistic polynomial-time ex- 
tractor M so that for all constants b > 0, all provers P, and all sufficiently 
large x, r, k, if Pr[(P, V)(x, r, k) = ACC] > \x\~ a then Pr[M( desc(P), x,r,k)€ 
R(x)] > 1 - |x|- 6 . (desc(P) denotes the description of P). 



The string k in the above definition denotes a-priori knowledge of P (given 
in the form of auxiliary input) where r denotes the prover's sequence of coin 
tosses. The fact that k is given to the knowledge extractor, though being indeed 
conceptually disturbing, can be justified in several applications (and in particular 
those in [6]). We stress that the definition of [6] does not guarantee one knowledge 
extractor which works regardless of the prover's success probability but rather a 
sequence of extractors each relevant for a different "measure" of non-negligence. 
As claimed in the our text this is conceptually unsatisfactory and inadequate 
for many applications in which a proof of knowledge is used as a subroutine. It 
should be said that "proofs of knowledge" are not used as subprotocols in [6], 
but rather as the "thing itself" (and hence our critic of their definition is only 
weakly relevant, if at all, to the results of that paper). 

"Proof of Knowledge" according to Tompa and Woll [18] The defini- 
tion presented in [18] differs slightly from the one of [61. It allows the verifier to 
run for an arbitrary (not necessarily polynomial) amount of time. The running 
time of the knowledge extractor is polynomial in the length of the input and 
in the running time of the verifier. As explained in §4.3, we don't believe that 
this choice is justified. The knowledge extractor in the [18] definition is given 
as input the prover's view of the interaction with the verifier, which contains 
among other things the prover's auxiliary input (denoted k in the definition of 
[6] presented above). The requirement concerning the output of the verifier is 
that the event "on input x the verifier is convinced yet the knowledge extractor 
fails to find y £ happens very rarely (i.e. with probability smaller than e 

for some e < 1). The probability is taken over the random coin tosses of both 
parties (for any fixed input x and fixed auxiliary input k). Clearly, this defini- 
tion suffers from all the disadvantages of the definition of [6] discussed above. 
Furthermore, if e is indeed fixed, as suggested by the definition in [18], then pro- 
tocols satisfying their definition are useless even in a stronger sense: the prover 
may convince the verifier with probability e/2 and yet the knowledge extractor 
is required nothing. Tompa and Woll were indeed aware of this point and seem 
to suggest to eliminate the problem by applying the protocol iteratively suffi- 
ciently many times. This is indeed a good suggestion. However, several problems 
remain. First a conceptual problem: their Lemma 3 (hereafter referred to as the 
Composition Lemma) indeed offers a useful tool, but it does not provide a gen- 
eral satisfactory definition of a "proof of knowledge". More annoying is the fact 
that the Composition Lemma constructs better protocols via sequential compo- 
sition of worse ones. It is not clear (and furthermore it seems unlikely) that a 
parallel composition will have the same affect. Finally, the Composition Lemma 
is applicable only to relations R which are in BPP. 
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"Proof of Knowledge" according to Feige and Shamir [7] The definition 
presented in [7] looks similar to the one in [6], but in fact it is fundamentally 
different. The critical point is that the definition in [7] treats potential provers 
uniformly with respect to the probability they lead the verifier to accept. In this 
sense, the definition in [7] is similar to our definition. Specifically, the knowledge 
extractor, denoted M, runs in expected polynomial- time (rather than in strict 
polynomial-time as in [6]) and outputs an element of R(x) with probability that 
is at most non-negligibly smaller than the probability that the verifier accepts 
on input x. Specifically, it is required that 

there exists a probabilistic expected polynomial-time extractor M so that 
for all constants b > 0, all provers P, and all sufficiently large x,r, k, 

Pr[(P, V)(a;,r,*)=ACC] > Pr[M(desc(P), x, v, k) £ R{x)} - M" J 

Consequently this definition does not suffer from the main criticism raised against 
the definition of [6]. However, it still suffers from the other problems such as the 
fact that k is given to M. Furthermore, it does not capture "knowledge" of 
super-polynomial-time provers. 

Work on "computationally convincing proofs of knowledge". Brassard, 
Crepeau, Laplante and Leger [5] study "computationally convincing proofs of 
knowledge" (the "validity" condition refers only to probabilistic, polynomial- 
time provers). They do not present formal definitions so we found it difficult to 
compare their work to ours, but the ideas appear to have some relation. They 
too propose an "adaptive" requirement linking the running time of the extractor 
to the success of the prover. Specifically, they appear to consider a particular 
class of protocols, namely those consisting of k rounds, each of which contains 
a "challenge" (from verifier to prover) which the prover may correctly answer 
with probability 1/2 if he correctly "guesses" a coin toss of the verifier. They 
require that the extractor succeed in time linear in Iff, where 2 + <p is the 
"probability of undetected cheating." The quantity in quotes was not defined 
precisely, particularly for the case of the input being in the language, but if 
1" k + ifi is interpreted as the probability that the verifier accepts, then it is like 
our definition with the knowledge error set to 2~ k . 

Brassard et. al. [5] also raise some criticisms of the definitions of [6, 18], but their 
criticism is the opposite of ours: whereas we suggest that the previous definitions 
are too weak (and propose a stronger definition) they suggest that the previous 
definitions are already too strong. 

B Soundness and Strong Validity 

For completeness, we state here also the standard soundness condition (for in- 
teractive proof systems). We remind the reader that we view soundness as an 
additional property that a knowledge verifier may (or may not) satisfy. 



412 



Definition?. (Additional possible properties of a system of proofs of knowledge) 
Let R be a binary relation, and suppose that V is a knowledge verifier for the 
relation R with knowledge error k. We define two additional properties that V 
may satisfy. 

- soundness: For every interactive function P, and for all x $ Lr, most of 
the possible interactions of V with P on common input x are rejecting (i.e., 
Pi[txp iV (x)£kCC v (x)} < 1/2). 

— strong validity (with error «): Let K be the universal knowledge extractor, and 
c > 0 be the constant guaranteed by the validity condition of Definition 3. 
Then, for every interactive function P and every x ^ Lr, machine K satisfies 
the following condition: 

if p(x) d = PT[tip t v(x) £ hCCy(x)} > k(x) then, on input x and access 
to oracle P x , machine K outputs the special symbol _L within an 
expected number of steps bounded by 



p(x) — k(x) 

As usual, the completeness (or non-triviality) and soundness conditions merely 
state that there is a gap between the probability that a prover may convince 
the verifier on x £ Lr (which by the completeness condition is exactly 1) and 
the probability that a prover may convince the verifier on x^Lr (which by the 
soundness condition is at most 1/2). Validity (resp., strong validity) is a more 
refined condition regarding the behavior of arbitrary provers on x £ Lr (resp., 
arbitrary strings). Specifically, validity relates the probability that the prover 
convinces the verifier on x £ Lr and the average time it takes the knowledge 
extractor to find a y£R(x) in the case x £ Lr. Strong validity is an analogous 
requirement regarding x Lr. Validity, soundness, and strong validity are not 
always independent. Namely, 

Proposition8. Validity and soundness imply strong validity for NP relations. 

The proof that follows is for the case k — 0. 

Recall that an NP relation is a polynomially bounded relation R(-, ■) which is 
decidable in polynomial time. Suppose an NP relation R possesses a knowledge 
verifier which (in addition) satisfies the soundness condition. Without loss of 
generality 16 , we may assume the error probability in the soundness condition is 
at most 2~ p ("), where p(-) is a polynomial bounding the length of witnesses as a 
function of the length of the input. Let K be the universal knowledge extractor 
(satisfying the validity condition). Fix a deterministic procedure, with running- 
time 2 p ( n )-poly(n), for deciding L R (e.g., the one which scans through all possible 
witnesses for the given input). 

16 The eiror probability in the soundness condition may be reduced, as usual, by 
repetitions. 
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We construct a new knowledge extractor, denoted K', for the above proof of 
knowledge, satisfying also strong validity. On input x and oracle access to P x , 
machine K' runs in parallel the extractor K (with input x and oracle P x ) and 
the decision procedure for Lr, fixed above. Suppose K halts before the deci- 
sion procedure terminates, and yields an output y. Machine K' checks whether 
R(x, y) is true (it can do this in polynomial time) and if so outputs y; otherwise 
it outputs _L. On the other hand, suppose the decision procedure halts while K 
is still running. If the decision is negative (x Lr) then K' outputs J_; else it 
continues to run K to whatever outcome this might yield. 

We note that the running time of K' is (within a polynomial factor of) that 
of K when x £ Lr, and at most (within a polynomial factor of) 2 P ^ X ^ otherwise. 
But in the latter case, the probability p(x) = PrFtrp,y (sc) € ACCv(i)] is at most 
2-p(M), so that the running time of K' is expected \x\°^ (p{x) in both cases. 
The fact that K' is a knowledge extractor for R which satisfies (validity and) 
strong validity follows. 

Finally, we note that the above transformation preserves (upto polynomial 
factors) the running time of the knowledge verifier, and, as long as we do the 
error-reduction in a suitable way (for example, by serial composition), it also 
preserves zero-knowledge. 

C Reducing the Knowledge Error via Repetitions 

We prove the claims of §5. Let us first recall the notation and assumptions intro- 
duced there. By poly(-) we mean any sufficiently large polynomial in the length of 
the input (string). By assumption the messages of the verifier can be computed in 
polynomial-time, and y £ R{x) can be found (if such exists) in exponential-time 
(i.e., time 2 v ° Xy ^). Consequently, failure of the knowledge extractor occurring 
with exponentially small probability (i.e., probability 2 _po17 ^^) can be ignored. 
Finally, we assume of course that m{x) < poly(x). 

C.l Reducing the Knowledge Error via Sequential Composition 

Suppose that V is a knowledge verifier with error k(-) for the relation J?, and 
let K be a. knowledge extractor witnessing this fact. Let V m denote the program 
that, on input x. sequentially executes the program V, on input x, for m(x) 

times. Theorem 4 asserts that V m is a knowledge verifier with error K m (-) d = 
(l+l/poly(-))-rc(-) m (') for the relation R. The theorem is proven by constructing 
a knowledge extractor, denoted K m , as described below. 

Suppose that P m is a prover which, on input x, leads V m to accept with 
probability p m (sc) > K m (x). Loosely speaking, we observe that there exists an 
i, 0 < i < m{x) — 1, and a partial transcript of i iterations so that, relative to 
this partial transcript, the i + 1 st iteration is accepting with probability at least 
m( "vPmt 1 )' ^ ne '^ ea ' s t° use tne guaranteed knowledge extractor, K, on the 
i + I st iteration of V m , relative to an appropriate partial i-iteration transcript. 
Details follow. 
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For simplicity, we assume here that all transcripts are equally likely. Let T 
denote the set of all possible partial transcripts of the first i iterations, and 
Ai C Ti denote the set of partial (i-iteration) transcripts in which all the i 

def def 

iterations are accepting. Let a, — |Ajj/|Ti| (a 0 = 1). For every a 6 A z , let 
q(a) denote the accepting probability of the i + l 3t iteration relative to a partial 
transcript a, and c, + i denote the average of q(a) taken over all a£i,. 

The following sequence of claims lead to the construction of the knowledge ex- 
tractor K m . 

Claim 1: for every i, Q<i<m(x), it holds that a,+i = cn ■ c i+1 . 
Proof: Clearly, 

-IT I Mil £°PA,g(<*) 

~ ll+ll '\T 1 \' I ^1 

and the claim follows. □ 

Claim 2: there exists an i, Q<i<m(x), such that 
2. aj .(c 1+1 -.(,))>i^. 

Proof: By Claim 1, p m (z) = UT=i ] c ^ and Part ( l ) follows. Using p m (x) > 
K m (x), we get 

c l + 1 > m ^l+l/poly(x)-K{x) 

and hence c I+1 - k{x) > c^ +1 /poly(x). Using a, • > p m (a;), Part (2) follows. 
□ 

Notation: Let £ be as guaranteed by Claim 2, and denote <5 J+ i d = c i+ i — k(x). Let 
A;^ denote the set of partial transcripts in A % containing only partial transcripts 
relative to which the i + 1 st iteration accepts with probability bounded below 
by k(x) + 2 t S i+ i/polj(x) and above by k(x) + 2 !+1 ($, + 1 /poly(;E), where poly(-) 
is a specific polynomial which depends on m(-) and the time required to find 
y £ R(x). Namely, 

Ai, t = (a 6 Ai : k(z) + 2 4 • < «(<*) < + 2* +1 • ~^rh ) 

{ poly(x) - poly(x) J 

Claim S: Let £ and A^t be as above. Then there exists an i, 1 <t<poly(z), such 
that \Ai <t \ > 2"' ■ | Aif. 
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Proof: Assume, on the contrary, that the current claim does not hold. Then 



Cj +1 < K.(x) + - , + > 



poly(x) ^ \Ai\ \ poly(x) 

poly (a ) , 

poly(i) ^ V Poly(aj] 

< k{x) + 6i + i 
— c i+i 

and contradiction follows. □ 

Claim 4 : There exists an i, 0 < i < m(x), and an j, l<j< poly( x), such that at 
least a 2~ J fraction of the a £ T t satisfy 



poly(= 



Proof: Let i as guaranteed by Claim 2. Rephrasing Claim 3, we get that there 
exists an t, 1 < t < poly(a:), such that at least a 2~ e • a fraction of the a £ T, 
satisfy q(a) > K,(x) + 2 t ■ 6j +1 /poly(x). Substituting j = t + log 2 (l/aj) and using 
Part (2} of Claim 2, the claim follows. □ 



Using Claim 4, we are now ready to present the knowledge extractor K m . 
Machine K m runs in parallel m(x) ■ poly(a:) copies of the following procedure, 
each with a different pair [i, j), 1 < i < m(x) and 1 < j < poly(a;). By saying 
"run several copies in parallel" we mean execute these copies so that t steps are 
executed in each copy before step t + 1 is executed in any other copy 17 . 

The copy running with the pair (i,j), generates M 2 J ■ poly (a:) random 
partial transcripts of i-iterations, denoted fi, ...,7a/, and runs M copies of the 
knowledge extractor K in parallel, each using a corresponding partial transcript 
(7t). The sub-procedure, indexed by the triple (i, j, k), uses the partial transcript 
fk to convert queries of the basic knowledge extractor (i.e., K) into queries 
concerning the i + 1 st iteration. Namely, when K is invoked it asks queries to 
an oracle describing the messages of a prover interacting with V. However, K m 
has access to an oracle describing prover P m (which is supposedly interacting 
with V^j). Hence, K m needs to simulate an oracle describing a basic prover 
(interacting with V), by using an oracle describing P m . This is done by prefixing 
each query of K with the i-iteration partial transcript jk generated above. 

To analyze the performance of K m consider the copy of the procedure run- 
ning with a pair (i, j) satisfying the conditions of Claim 4. If this is the case, 
then with very high probability (i.e., exponentially close to 1) at least one of the 
partial transcripts generated by this copy has the property that, relative to it, 

17 Actually, the condition can be related. For example, it suffices to require that at 
least t steps are executed in each copy before step 2 • t is executed in any other copy. 
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the i+ 1 st iteration accepts with probability at least k(x) + 2 ; p m (a;)/poly(a;). It 
follows that the corresponding copy of the sub-procedure will halt, outputting 
y G R[x), within ^"^(l) ste P s ( on tne average). Since the (i, j) th copy of the 
procedure consists of V -polyix) copies of the sub-procedure running in parallel, 
this copy of the procedure will halt in expected time E^M^i < — p°M£) _ The 
entire knowledge extractor consists of polynomially many copies of the proce- 
dure, running in parallel, and hence it also runs in expected } r^'y^f L (x) t ™ c 
as required. 

Remark: We believe that V m is a knowledge verifier with error k (•) m (-> for the 
relation R (rather thanjust being a knowledge verifier with error (1 + l/poly(-)) • 
zc(-) m (') for this relation). The difference is of little practical importance, yet we 
consider the question to be of theoretical interest. 



C.2 Reducing the Knowledge Error via Parallel Composition 

A fundamental problem with presenting a parallel analogue of the above argu- 
ment is that we cannot fix a partial transcript for the other iterations while 
working with one selected iteration (which was possible and crucial to the proof 
used in the sequential case). Furthermore, even analyzing the profile of accepting 
transcripts is more complex. 

As before, let p m (x) denote the accepting probability, here abbreviated by 
p(x), and let 6(x) = p(x) — K m (x). Consider a m(a:)-dimensional table in which 
the dimensions correspond to the m d = f m(x) parallel executions, where the 
(t-i, r m )-entry in the table corresponds to the transcript when the verifier uses 
coin tosses in the first execution, r 2 in the second execution, and so on. Since 
ap(x) fraction of the entries are accepting transcripts, it follows that there exists 
a dimension i so that at least a nl *\/p(x) — 6(x)/2 fraction of the rows in the 
i th dimension contain at least S(x)/2m(x) accepting entries. Furthermore, there 
exists a j, 0 < j <log 2 (poly(x)/6 m (a;)), so that at least a 2^ ■ m( '^/p(x) - S(x)/2 
fraction of the rows in the i th dimension contain at least E, ( x )~ i (^)/ 2 

2^poly(r). ™ l -*ty P (x)-&(x)!2 

accepting entries. 

Getting back to the problem of using the knowledge extractor K (of the basic 
verifier V), we note that we need to simulate an oracle to K using an oracle 
describing P m . The idea used in the sequential case is to augment all queries to 
the P-oracle by the same partial transcript. However, we can no longer guarantee 
high accepting probability for one execution relative to a fix transcript of the 
other (parallel) executions. 

We can however treat the special case in which the basic knowledge extractor, 
K, operates by generating random transcripts and keeping a new transcript only 
if it satisfies some polynomial-time predicate with respect to the transcripts kept 
so far. Details omitted. We remark that the known knowledge extractors do 
operate in such a manner. 
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D Equivalence of Two Formulations of Validity with 
Error 

We now prove the equivalence of the definitions of validity with error given in 
Definition 3 and in §6, respectively. We assume that whenever Pr[trp jV -(a;) € 
HCC v (x)} > k{x), we have ¥i[ti Py {x) 6 ACCy(a;)1 > k.(x) + 2' po ^ x '> as well. 
Alternatively, we may assume that there exist an exponential time algorithm for 
solving the relation R (i.e., finding y G R{x) if such exists within 2 ?oXy ^ steps). 
The proof extends the argument presented in §6, for the special case k = 0, yet 
in one direction an additional idea is required. 

Let us start with the easy direction. Suppose that a verifier V satisfies validity 
with knowledge error k(-) by the definition in §6. Let K be a knowledge extractor 
satisfying this definition. We construct a knowledge extractor K' that, on input 
x repeatedly invokes K (on x) until K(x) J_, Clearly, K 1 always outputs 
a string in R(x), halting in expected time po\y(x)/Pi[K(x) G R(x)} which is 
bounded above by poly(x)/(Pr[trp. y (x) t ACCy {x)} — k(x)). Hence, K 1 satisfies 
the condition in Definition 3. 

Suppose that a verifier V satisfies validity with knowledge error k(-) by 
Definition 3, and let K be a knowledge extractor witnessing this fact. Let c > 0 
be the constant satisfying the condition on the running-time of K. Namely, that 
its expected running-time is bounded above by \x\ c j(Y , rXTpy[x) G ACCy (x)\ — 
k(x)). Assume, without loss of generality, that with very high probability (i.e.. 
exponentially close to 1) K halts within at most 2 poly ^^ steps 18 . We construct 
a knowledge extractor K' that, on input x runs K{x) with the following modifi- 
cation. Machine K' proceeds in iterations, starting with z = 1, and terminating 
after at most poly(;c) iterations. In iteration i, machine K' executes K(x) with 
time bound T ■ .x\ c . If K halts with some output y then K 1 outputs y and halts. 
Otherwise (i.e., K' does not halt within T • \x\ c steps), machine K' halts with 
probability A with output _L and otherwise proceeds to iteration i+ 1. We stress 
that in all iterations, K uses the same internal coin tosses. In fact, we can record 
the configuration at the end of iteration i and consequently save half of the time 
spent in iteration i+ 1. Clearly, the expected running-time of K ! (x) is bounded 
above by 

Yl ^zj ■ ( T ■ K') = p° l y^) 

1=1 

We now evaluate the probability that, on input x, machine K' outputs y G 
R(x). It is guaranteed that, on input x, the extractor K outputs y G R{x) 
within T(x) < |i;j c /(Pr[trp ) y(a;) G ACCy(cc)] - «(»)) steps on the average (and 
by hypothesis T(x) < 2 poly ( l: )). Hence, with probability at least f , on input x, 
machine K outputs y G R{x) within 2 • T(x) steps. The probability that K' 
conducts 2-T(x) steps (i.e., K' reaches iteration log 2 (T(a;)/|x| c )) is \x\ c /T{x) > 
Pr[trp i v(x) G ACCv(z)] — n(x). Hence, K' satisfies the condition in §6. 

14 This can be achieved by running the exponential time solver in parallel to K . Alterna- 
tively, assuming that if Pr[trp,y (x) G ACCy (z)] > k(x) then Pr[trp,y(a) G ACCv(*)] > 
k(x) + 2~ palyl - x ' , we can implement a probabilistic exponential-time solver using K. 



418 



E The Zero-Knowledge proof of Graph Non-Isomorphism 

Following is the basic ingredient of the zero-knowledge proof for Graph Non- 
Isomorphism (GNI) presented in [12]. 

Common input: Two graphs Gi and G2 of n vertices each. 

Objective: In case the graphs are not isomorphic, supply (statistical) evidence 

to that affect. 

Step VI: The GNI- verifier selects uniformly 2 6 {1, 2}, and a random isomorphic 
copy of Gi , hereafter denoted H and called the query, and sends H to the GNI- 
prover. Namely, H is obtained by selecting a random permutation t, over the 
vertex-set, and letting the edge-set of H consist of pairs (~x(u), ir(u)) for every 
pair (w, v) in the edge-set of Gi- 

Step VP: The GNI-verifier "convinces" the GNI-prover that he (i.e., the GNI- 
verifier) "knows" an isomorphism between H and one of the input graphs. To 
this end the two parties execute a witness indistinguishable proof of knowledge 
(with zero error) for graph isomorphism. (Such a protocol is described below.) In 
that proof of knowledge the GNI-verifier acts as the prover while the GNI-prover 
acts as the verifier. 

Step PI: If the GNI-prover is convinced by the proof given at step VP, then he 
finds such that H is isomorphic to Gj, and sends j to the GNI-verifier. (If H 
is isomorphic to neither graphs or to both the GNI-prover seta j = 1; this choice 
is arbitrary.) 

Step V2: If j (received in step PI) equals i (chosen in step VI) then the GNI- 
verifier accepts, else he rejects. 

It is easy to see that if the input graphs are not isomorphic then there exists 
a GNI-prover which always convinces the GNI-verifier. This meets the com- 
pleteness condition of interactive proofs. To show that some sort of soundness 
is achieved we use the witness indistinguishability of the subprotocol used in 
Step VP. Loosely speaking, it follows that no information about i is revealed to 
the GNI-prover and therefore if the input graphs are isomorphic then the GNI- 
verifier rejects with probability at least one half (no matter what the prover 
does). 19 

The demonstration that the GNI-prover is zero-knowledge is the place where 
the notion of proof of knowledge plays a central role. As required by the zero- 
knowledge condition we have to construct, for every efficient program playing 
the role of the GNI-verifier, an efficient simulator which outputs a distribution 
equal to that of the interaction of the verifier program with the GNI-prover. 
Following is a description of such a simulator. The simulator starts by invoking 
the verifier's program and obtaining a query graph, H, and a transcript of the 
execution of step VP (this is obtained when the simulator plays the role of the 
GNI-prover which is the knowledge- verifier in this subprotocol). If the transcript 



Reducing the cheating probability further can be done by iterating the above protocol 
either sequentially or in parallel. However, this is not our concern here. 
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is not accepting then the simulator halts and outputs it (thus perfectly simulating 
the real interaction). However, if the transcript is accepting the simulator must 
proceed (otherwise its output will not be correctly distributed). The simulator 
needs now to simulate step PI, but, unlike the real GNI-prover, the simulator 
does not "know" to which graph H is isomorphic. The key observation is that the 
simulator can obtain this information (i.e., the isomorphism) from the knowledge 
extractor guaranteed for the proof of knowledge (taking place in step VP), and 
once the isomorphism is found producing the rest of the interaction (i.e., the 
bit j) is obvious. Using our definition (of proof of knowledge with zero error), 
the simulator can find the isomorphism in expected poly(n)/p(G r i, G2, H) time, 
where p(G\,G2, H) is the probability that the GNI-prover is convinced by the 
proof of knowledge in step VP. Since this module in the simulator is invoked only 
with probability p(G\, G2, H), the simulator runs in expected polynomial-time, 
and the zero-knowledge property follows. We stress that carrying out this plan is 
not possible when using any of the -previous definitions of "proof of knowledge". 

To complete the description of the above protocol we present a (witness indis- 
tinguishable) proof of knowledge of Graph Isomorphism. This proof of knowledge 
can be easily adapted to a proof of knowledge of an isomorphism between the 
first input graph and one of the other two input graphs. 

Common input: Two graphs H and G of n vertices each. 

Objective: In case the graphs are isomorphic, the Gl-prover has to "prove 
knowledge of i/>", where ip is an isomorphism between H and G. 

Note: In our application the GNI-verifier plays the role of the Gl-prover, while 
the GNI-prover plays the role of the Gl-verifier. 

7vt , 1 • t 1 del , / \ def o 

{Notation: Let t — t(n) = n . 

Step pi: The Gl-prover selects uniformly t random isomorphic copies of H, 
denoted Ki,...,K t and called the mediators, and sends these graphs to the Gl- 
verifier. Namely, Ki is obtained by selecting a random permutation ^ over the 
vertex-set, and letting the edge-set of K t consist of pairs (^(u), irj(f)) for every 
pair (u, v) in the edge-set of H . 

Step vl: The Gl-verifier selects uniformly a subset S of {1,2, ...,<} and sends 
S to the Gl-prover. 

Step p2: For every i g S, the Gl-prover sets a, = 7Tj, where 7r; is the permutation 
selected in step pi to form K % . For every i 6 {1, t} - 5, the Gl-prover sets 
di — -JTiip, where -w^ is as before, -iff is the isomorphism between G and H (known to 
the Gl-prover), and nift denotes composition of permutations (or isomorphisms). 
The Gl-prover sends ai, 02, a t to the Gl-verifier. 

Step v2: The Gl-verifier checks if, for every itS, the permutation a, (supplied 
in step p2) is indeed an isomorphism between the graphs H and In addition, 
the Gl-verifier checks if, for every i€{l, 2, the permutation a, (supplied 

in step p2) is indeed an isomorphism between the graphs G and Ki. If both 
conditions are satisfied (i.e., all t permutations are indeed what they are supposed 
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to be) then the Gl-verifier accepts (i.e., is convinced that the Gl-prover knows 
an isomorphism between G and if). 

One can show that the above Gl-verifier constitutes a knowledge- verifier (with 
zero error) for Graph Isomorphism. This is done by considering all possible 
choices of S C {1, 2, ...,t} for a fixed set of mediators K]_, K t . Denote by s the 
number of subsets S for which the Gl-verifier accepts. A knowledge extractor, 
given one accepting interaction (i.e., containing a good S) tries to find another 
one (i.e. a good subset different from 5). Having two good subsets clearly yields 
an isomorphism between G and H (i.e., using any index in the symmetric dif- 
ference between the good subsets). Clearly, if s = 1 then there exists no good 
subset other than 5. In this case the extractor finds an isomorphism by ex- 
haustive search (which is always performed in parallel to the attempts of the 
extractor to find a different good subset). The exhaustive search requires less 
than 2* steps, but dominates the total running time only in case s — 1 (in which 
case the accepting probability is 1/2'). Yet, for any s > 1, the expected number 
of tries required to find a different good subset is 

1 2 £ , 2 ■ 2 l 

(s^i)/(2« -~T) < 7^1 - "T~ 

(the last inequality follows from s > 2). Since ajV is the probability that the 
Gl-verifier accepts, the extractor described above indeed runs in expected time 
inversely proportional to the accepting probability of the Gl-verifier. Our claim 
follows. 



Public Randomness 
in 

Cryptography* 



Amir Herzberg 1 

1 T.B.M. T.J. Watson. Yorktown Heights, NY 10598 
2 International Computer Science Institute, U.C. Berkeley. Berkeley, California 94704 



Abstract. The main contribution of this paper is the introduction of a 
formal notion of public randomness in the context of cryptography. We 
show how this notion affects the definition of the security of a crypto- 
graphic primitive and the definition of how much security is preserved 
when one cryptographic primitive is reduced to another. Previous works 
considered the public random bits as a part of the input, and security 
was parameterized in terms of the total length of the input. We parame- 
terize security solely in terms of the length of the private input, and treat 
the public random bits as a separate resource. This separation allows us 
to independently address the important issues of how much security is 
preserved by a reduction and how many public random bits are used in 
the reduction. 

To exemplify these new definitions, we present reductions from weak one- 
way permutations to one-way permutations with strong security preserv- 
ing properties that are simpler than previously known reductions. 



1 Introduction 

Over the years, randomness has proved to be a powerful algorithmic resource, 
i.e. randomized algorithms that are simpler, or more efficient, or both, than any 
known deterministic algorithm have been developed for a variety of problems. 
Randomness has also proved to be a powerful resource in the construction of 
cryptographic primitives based on other primitives, e.g., the randomized reduc- 
tions from weak one-way functions to one-way functions and the reductions from 
one-way functions to pseudo-random generators. The source of randomness used 
m these reductions is typically public, in the sense that the random bits are 
accessible to all parties enacting the primitive and to any adversary trying to 
break the primitive. However, up till now, the distinction between the private 
part of the input and the public random bits has been blurred. 

The main contributions of this paper are to formally introduce the notion of 
public randomness, to introduce appropriate generalizations of the definitions of 
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cryptographic primitives that use public randomness and, perhaps most impor- 
tantly, to modify the definition of what it means to reduce one cryptographic 
primitive to another by allowing public randomness to be used in the reduction. 
In terms of generalizing the definition of cryptographic primitives to include 
public randomness, the main advantage is that the security of a primitive can 
now be parameterized, as it should be, solely in terms of the length of the private 
part of the input, and not at all in terms of the public random bits. In terms of 
reductions, the main advantage is that we can now separately consider the two 
issues of how much security is preserved by the reduction and how much public 
randomness is used in the reduction. 

As particular examples of how a primitive that uses public randomness can 
be defined, we extend the definitions of one-way functions and pseudo-random 
generators to include public random bits. Generalizations along the same lines 
for many other cryptographic primitives can be made, including those related to 
public key cryptography. 

As particular examples of how the new definitions of reductions using pub- 
lic randomness work, we provide reductions that use public randomness from 
weak one-way permutations to one-way permutations. Following [1]. our prime 
concern is the security preserving properties of the reduction, i.e., how much 
of the security of the weak one-way permutation is transferred to the one-way 
permutation. However, unlike [1], we consider the security as a function solely 
of the length of the private input, which does not include the public random 
bits. We show reductions that preserve security in a very strong sense, which is 
stronger than that of the reduction due to [[} (under the new definitions). We 
begin with a very simple reduction (much simpler than that found in [1]). which 
uses a large number of public random bits. Through a sequence of increasingly 
intricate reductions, we converge on a reduction that is a slight modification of 
the reduction due to [lj. Both the reduction of [1, and our improvement use only 
a linear number of public random bits. 

Another simple reduction from a weak one-way permutation to a one-way 
permutation was developed recently and independently by Phillips [2], Phillips 
showed that his reduction preserves security somewhat better than the reduction 
of [1], when considering the randomness as a part of the input. However, our new 
definitions of security preserving reductions with public randomness reveal that 
Phillips' reduction actually preserves security as well as our reductions, i.e. much 
better than [1]. Phillips' reduction uses more public random bits (0(ri log(n))) 
than our best reduction. 

A full development and details of this work can be found in [3]. 

2 Definitions 
2.1 Basic Notation 

If 5 is a set then jS is the number of elements in 5. Let x and y be bit strings. We 
let || 1 1| denote the length of x. We let (x. y) denote the sequence of two strings 
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x followed by y, and when appropriate we also view this as the concatenation 
of a; and y. When (x.y) is the input to a function /, we write this as f(x,y). 

We let Xi denote the i th bit of x. Let x e {0. 1}" and let S C {1 ,n}. We 

let xs denote the subsequence of bits in x indexed by S, e.g. x^i : } denotes 

the first i bits of x, -Cfi+i,. ..,«} denotes all but the first i bits of x, and thus 

£ - x {i+\,.-,n})- 

If £ and y are bit strings, each of length /, then ;c-3 y is the vector sum mod 
2 (i.e. bit wise parity) of x and y, i.e. (x $ y), = (j;, + y,-) mod 2. 

An m x n bit matrix x is indicated by x G {0, l}' nxrl . We write Xjj to refer 
to the (i. j) in x. We can also view x as a sequence x = (xi, . . ., x m ) of m strings, 
each of length n, where x,: is the i th row of the matrix, or as a string x € {0, \ j mn 
of length ran, which is the concatenation of the rows of the matrix. 

If a is a number, then |a| is the absolute value of a, [a] is the smallest integer 
greater than or equal to a, log(a) is the logarithm base two of a. If a number is 
an input to or an output of an algorithm, the assumption is that it is presented 
in binary notation. 

In general, we use capital letters to denote random variables and random 
events. When S is a set we use the notation .Y Su S to mean that A' is a 
random variable uniformly distributed in S, and x £u S indicates that x is a 
fixed element of S chosen uniformly. 

2.2 Public Randomness 

A source of random bits is public for a primitive if it can be read by all parties 
enacting the primitive and by any adversary trying to break the primitive. The 
public random string is always chosen uniformly. We use to keep the public 
random string separated from other strings in a list of strings, e.g. if y is the 
value of the public random string and x is the input to some function /. then we 
write f(x: y) to indicate the evaluation of / on input x with respect to y (note 
that the value of / depends both on the input x and on the public random string 
y), and we write (f(x:y):y) to indicate the pair of strings f{x\y) and y. 

x\lthough the public random bits are known to an adversary, it turns out 
that these bits often plays a crucial role in ensuring that the primitive is secure. 

2.3 Security 

The security of a primitive quantifies how secure the primitive is against attacks 
by an adversary trying to break the primitive. The important question to con- 
sider is "What does the security measure?" Intuitively, the security of a primitive 
is a measure of the minimal computational resources needed by any adversary to 
break the primitive. There are two natural computational resources we consider; 
the maximal total time T that the adversary runs and the success probability b 
of the adversary. Both T and 8 are stated with respect to a given input instance 
to the adversary, and their definitions are primitive dependent. 

A trivial strategy to increase the success probability 6 is to run the adver- 
sary again. This doubles the running time, but also almost doubles the success 
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probability (especially if it is low). This motivates us to simplify the analysis 
by comparing only the ratios between the success probabilities and the running 
times of different adversaries. An additional simplification is to consider the ratio 
between the success probability S(n) and the maximal running time Tin), both 
over all private inputs of length n. Without much loss in generality, we hereafter 
assume that an adversary A always runs for the same amount of time T(n) on 
all inputs parameterized by n. 

Definition (achievement ratio): The achievement ratio of an adversary A 
for a primitive / is defined as <f^j, where T(n) is the running time of .4 and 
S(n) is the success probability of A for / on private inputs of length n. 
Definition (breaking adversary and security): An adversary A is /fy (re- 
breaking for a primitive / if the achievement ratio of ,4 for / satisfies 

^nTTy — Rf( n ) f° r infinitely many n £ A''. The primitive / is (i - E/(n))-secure 
if there is no /fy(rc)-breaking adversary for /. 

Intuitively, 0-secure means totally insecure, whereas 1-secure means totally- 
secure. We would like the primitive to be harder to break than it is to use. 
For example, suppose / is a ( 1 — Rfin ))-secure one-way function, where for all 
constants c. Rj(n) < ~ for sufficiently large n. Then / can be computed in 
polynomial time, whereas a polynomial time algorithm can only invert / with 
inverse polynomial probability for finitely many values of n 6 A . 

Allowing the security of a primitive to be parameterized is important because 
different implementations of primitives may achieve different, levels of security, 
which may offer different tradeoffs between efficiency and security. We note that 
inverse polynomial security (e.g. Rfin) — -^m) means that the primitive may be 
broken by a polynomial adversary, so we expect that many applications would 
require higher security. For example, it may be that a particular function / is 
a (1 — ffy (n))-secure one-way function, where Rfin) — , i,., . or even better 
with Rf(n) = The statement that / is secure with respect to either of 

these bounds is quantifiably stronger than the statement that it is secure with 
respect to an inverse polynomial bound. On the other hand, for any function 
computable in time T(n) there is an inverting adversary that runs in Tin) ■ 2" 
time, and thus there is no (1 - T , 1 „ n )-secure one-wav function. 

2.4 Primitives with Public Randomness 

Definition (standard function): A function f(x; y) is called a standard func- 
tion with length relationship \\x\\ = n, = l(n), \\f{x\y)\\ = m(n) if 

~ f{ x: . v) is computable in polynomial time. 

- If \\x\\ = n then ||yj| = l(n) and ||/(x;y)|| = rn(n), where both l(n) and 
m(n) are polynomial in n. 

We now give the definitions of primitives using public randomness. 
Definition (one-way function with public random bits): Let f[x\y) be 
a standard function with length relationship \\x || = n. || y|| = l{n). \\ f{x: y) \\ — 



m{n). Let X Gi/ {0, l} n and Y £u {0, I} 11 -" ' 1 . The success probability of adversary 
,4 for / is 

6(n) = Pr[7(,i(/(A';y");V-);y) =/(x ; y)]. 

The running time T(n) of adversary A for / is the maximum over all x (E {0, 1}" 
and y € {0, of the running time of ,4 on input (f(x;y);y). Then, / is a 
(1 — i?/(n))-secure one-wav function if there is no /?j>(n)-breaking adversary for 
/■ 

Definition (one-way permutation with public random bits): Let f(x; y) 
be a standard function with length relationship j| x || = n, || y || = /(n). || f(x; y] \\ — 
m(n). Then, / is a (1 — Rf (nj)-secure one-way permutation if / is a (1 — Rj{n))- 
secure one-way function and m(n) — n and x is uniquely determined by f(x; y) 
and y. 

Definition (pseudo-random generator with public random bits): Let 

g(x:y) be a standard function with length relationship — n. \\y\\ = l(n), 
g(x) = m(n), where m(n) > n. The stretching parameter of g(x\ y) is rn{n) — n. 
Let X £ U {0. l} n , Y G u {0, l} i(n! and Z £ u {0. l} min K The success probability 
(distinguishing probability) of adversary .4 for g is 

6(n) - PiJA(g{X: Y);Y) = 1] - Pr \A{Z\Y) = 1]. 

The running time T(n) of adversary .4 for g is the maximum over all z £ 
{0,l} m( " J and y <G {0, of the running time of A on input (r:y). Then. 

<7 is a (T — R g (n))-secure pseudo-random generator if there is no R g {n)-breakmg 
adversary for g. 

Example : To exemplify the difference between the traditional definition of 
a one-way function and the definition introduced here with public randomness, 
consider the subset sum problem. A one-way function based on the difficulty of 
this problem can be defined in two ways; without public random bits and with 
public random bits. Let b e {0, l} n and let a e {0. l} nxn . In the first definition 
without public random bits the function is 

n 

f(a. b) - {a, ^ b,. ■ a z ) . 

The security is parameterized by the input length .V = rr + n. In the second 
definition, a is the public random string and the function is defined as 

n 

f(b; a) = 6, ■ a,. 

!=1 

In this case, the security is parameterized by the length of the private input b. 
which is simply n. Note that in both cases, the actual security of / is based on 
exactly the same thing, i.e. when a and b are chosen uniformly then given a and 
£<=i ■ a,- there is no fast adversary that can find on average a b' £ {0,1}" 
such that Y^=i K ■ a i = ICLi ' a '- The only difference is how the security is 
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parameterized. Intuitively, security should be parameterized in terms of what is 
hidden from the adversary, and not in terms of the overall amount of randomness 
available to the function. The first definition parameterizes the security in terms 
of the overall amount of randomness available to the function, i.e. security is 
parameterized in terms of the length of b plus the length of a. The parameter 
of security in the second definition is the length of b. where b is what is really 
secret. 

Intuitively, a weak one-way function / is a function such that it is hard to 
find an inverse of f(x) for some significant but perhaps not very large fraction 
of x 6 {0, l} 71 (the ; hard set'). (In contrast, for a one-way function ir, is hard to 
find an inverse of f(x) for all but an insignificant fraction of the x E {0. 1}"-) We 
only give the traditional definition (not using public randomness); the definition 
using public randomness is straightforward. 

Definition (weak one-way function): Let fix) be a standard function with 
length relationship = n, \\f(x)\\ = l(n). The weakness parameter of / is 

a function s(n) such that s(n) > ^ for some constant, c. The time bound and 
success probability of an adversary -4 for / are defined exactly the same way as 
for a one-way function. An adversary A is Rj(n)- breaking for s(n.)- weak / if there 
is a subset H n of {0, l} n of measure at least s(n) such that Rj(n) < , where 

6jj(n) is the average success probability over H[n) and T#(n) is the maximal 
running time over H(n). A function / is a (1 — Rf{n))-secme />-(n)-weak one-way 
function if there is no i?j>(n)-breaking adversary for s(rc)-weak /. 

Example : Define f(x.y) = xy, where x.y € {2 2 n - 1}- The problem 

of inverting f{x, y) consists of finding x', if £ {2. .... 2" - 1} such that x'y' = 
xy. Let X.Y Su {2, . . . . 2" - 1} be independent random variables. On average, 
f(X, Y) is rather easy to invert. For instance, with probability |, XY is an even 
number, in which case setting x' = 2 and y' = 4^- inverts f(X,Y). However, 
with probability approximately 1/n 2 both X and V are prime n-bit numbers. 
If there is no adversary that can factor the product of a pair of random n-bit 
prime numbers in time R | on average then / is a (l-i? ; -(2n))-securc ^4-weak 
one-way function. 

3 Reductions 

All of the results presented in this paper involve a reduction 6 from one type of 
cryptographic primitive to another. In this section, we give a formal definition 
of reduction. We only define a reduction in the case when both cryptographic 
primitives are standard functions. 

Central to the definition of a reduction is the notion of an oracle Turing 
machine. 

Definition (oracle Turing machine): An oracle Turing machine is a ran- 
domized Turing machine S whose behavior is not fully specified. The behavior is 
not fully specified in the sense that 5, in the course of its execution, interactively 
makes calls (hereafter described as oracle calls) to and receives corresponding 
outputs from an algorithm that is not part of the description of S. We let S A 
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denote the fully specified Turing machine described by 5 using algorithm A to 
compute the oracle calls. 

Note that although the running time of S is not defined, the running time of 
S A is defined. Also, if A is a Turing machine then so is S A . 

Let / be a generic instance of the first primitive, where f(x) is a standard 
function with length relationship || x \\ = n and || f(x) \\ — l{n). Let X {0, 1}". 
There are two parts to a reduction: (1) an oracle Turing machine P that effi- 
ciently converts f(X) into an instance g(Y) of the second primitive, where g is a 
standard function and Y is the polynomially samplable probability distribution 
on inputs to g; (2) an oracle Turing machine S that is the guarantee that the 
security of f(X) is passed on to g(Y). The security guarantee is of the form that 
if .4 is a breaking adversary for g(Y) then S A is a breaking adversary for f(X). 
More formally, 

Definition (reduction): We say that there is a reduction from primitive.l to 
primitive-2 if there are two oracle Turing machines P and 5 with the following 
properties. Given any instance / ol primitive- 1 . P' is an instance g of primitive.^. 
Given any i? 5 (n)-breaking adversary .4 for g. S A is a R^(n)-breaking adversary 
for/. 

The reduction guarantees that there is no R g ( n)-breaking adversary for g as 
long as there is no i?/(n)-breaking adversary for /. To have the reduction inject 
as much of the security of / as possible into g, we would like Rf(n) to be as 
large as possible with respect to R g (n), e.g.. R/(n) — R g 
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To give a rough measure of the amount of security a reduction preserves, we 
make the following definitions. Note that in all definitions the reduction has an 
overhead of However, typically R g (n) <C -p; and it is therefore the dominant 
factor. 

Definition (preserving reductions): The reduction from primitive J to 
primitive-2 is said to be 



lightly preserving if there are constants a > 1, j3 > 1 and c > 0 such that 

Rj(n) > 



R 3 (n a Y 



- polynomially preserving if there are constants d > 1 and c > 0 such that 

Rjin) > jy ' . 
~ linearly preserving if there is a constant c > 0 such that 



Rj[n) > 



R g {n) 



For a linearly preserving reduction, Rj{n) is linearly lower bounded by R g (n), 
for a polynomially preserving reduction. Rj(n) is polvnomiallv lower bounded 
ft) (in both cases there is also a polynomial in n factor). On the other 
h&nd, for a slightly preserving reduction the lower bound on R;(n) can be much 
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weaker than any polynomial factor in R g (n). For this reason, a linearly preserv- 
ing reduction is more desirable than a polynomially preserving reduction which 
in turn is more desirable than a slightly preserving reduction. 

Consider a reduction from a one-way function / to a pseudo-random genera- 
tor g and suppose we want the reduction to guarantee that g is ( 1 — i? ? (n))-secure. 
The difference between these types of guarantees isn't so important when R 3 (n) 
is not too small, e.g., if R g (n) is inverse polynomial in n then all types guar- 
antee that Rf(n) is inverse polynomial in n, and thus g is (1 — R g (n) j-secure 
if there is no polynomial time adversary that can invert / with inverse poly- 
nomial probability. However, the difference between these types of guarantees 
increases dramatically as R g {n) goes to zero at a faster rate, which is expected 
in most applications. To see the dramatic differences between the strengths of 
the reductions, consider the case when R g (n) = 2~' ;l/ " and a = 3 — "2 and 
c — 0. For a linearly preserving reduction, g is (1 — ff.,(n))-securc if there is no 

1/2 . 

Rf(n) — 2~ n -breaking adversary for /. For a polynomially preserving reduc- 
tion, g is (1 — i2 tf (n))-secure if there is no Rr(n) = 2~ 2n ""-breaking adversary 
for /. For a slightly preserving reduction, g is (1 — i? tf (n))-secure if there is no 
Rj(n) — 2~ 2n -breaking adversary for /. Note that in this case Rt\n) is the 
2n 1//2 power of R g (n), which is not at all polynomial in R.j(n). In fact, for trivial 
reasons there is a 2~ 3n -breaking adversary for /. and thus the slightly preserving 
reduction does not guarantee that <] is 1 1 — 2~" )-secure no matter how secure 
/is. 

Because of the tremendous superiority of a linearly preserving over a polyno- 
mially preserving reduction over a slightly preserving reduction, it is important 
to design the strongest reduction possible. Some of the most important work 
(both theoretically and practically) left to be done is to find stronger preserving 
reductions between cryptographic primitives than arc currently known, e.g. the 
strongest reductions known from a one-way function to a pseudo-random gen- 
erator and from a weak one-way function to a one-way function (in the general 
case) are only slightly preserving. 

It turns out that the primary quantity that determines the strength of the 
reduction is the ratio ~, where n is the length of the private part of the in- 
put for g and n' is the length of the private part of the input for calls to / 
when computing g. The bigger this ratio the more the loss in security. The best 
case is when these two lengths are equal or nearly equal. The reason for this is 
that typically the achievement ratio for S A is either linear or polynomial in the 
achievement ratio R 3 (n) for ,4, and S A breaks one of the calls to / on inputs of 
length n' , and thus Rf(n') is either linear or polynomial in R g (n). For example, 
if n' = n and Rj(n') = R g (n) then the reduction is linearly preserving. Slightly 
weaker, if n' — en for some constant e > 0 and Rj(n') = R g (n)$ for some 
constant 8 > 1 then the reduction is polynomially preserving. This can be seen 
as follows. Even in the worst case, when R g (n) = ~, it is easy to verify that 
R g (n) - R g (n'/e) < R g (n') 1 / f . Thus, R f (n') < R g {n'y) ( . If n' is substantially 
smaller than n (but still polynomial in n), then the reduction is typically only 
slightly preserving. 



429 



4 The Reductions 

We describe several linearly preserving reductions from a weak one-way permu- 
tation to a one-way permutation. All of the reductions work only for functions 
that are permutations. 3 In [4], Yao describes a reduction from a general weak 
owf to a one-way function, but the reduction is only slightly preserving. A good 
research problem is to design a linearly preserving (or even polynomially pre- 
serving) reduction without any restriction on the weak one-way function. 

In all the reductions, we assume that the weak one-way function doesn't use 
a public random string. Only minor modifications need be made to handle the 
case when the weak one-way function uses public randomness. 

All of the reductions share a common approach, and each reduction builds on 
the ideas developed in previous reductions. For completeness, we first describe 
a general reduction from a weak one-way function to a one-way function. 
Reduction 1 [Yao] : Let f{x) be a s(n)-weak one-way function, where x £ 
{0, l} n . Let :V = ~- y let y € {0, 1}- Vxrl and define the one-way function 

g{y) = (f{yi)- ■ ■ ■■ f(yN))- 

Theorem 1 [Yao] : Reduction 1 is a slightly preserving reduction from a 
s(n)-weak one-way function / to one-way function g. More precisely, there is an 
oracle algorithm S such that if .4 is an R tf («A : )-breaking adversary for g{y) then 

S A is a 7i/(n)-breaking adversary for s(n)- weak /(*). where Rf(n) — ^ ' ■ 

Note that .s(n) must be at least inverse polynomial in n for the reduction to be- 
even slightly preserving. This is because it is necessary for n to be a polynomial 
fraction of A r . and .V = - 12 —. 

4.1 A simple linearly preserving reduction 

An important observation about Reduction 1 is that g doesn't use any public 
random bits beyond what is used by /. The reason the reduction is only slightly 
preserving is that g partitions its private input into many small strings and uses 
each of these strings as a private input to /. This can be thought of as a parallel 
construction, in the sense that the calls to / are on independent inputs and thus 
all calls to / can be computed simultaneously. The linearly preserving reduction 
given here is similar in its basic structure to Reduction 1. The main difference 
is that instead of partitioning the private input of g into :V private inputs of 
length n for /, the private input to g is a single string x G {0. 1}". and the 
public random string is used to generate N inputs of length n to / sequentially. 
Reduction 2 : Let f(x) be a s(n)-weak one-way permutation, where x 6 
{0, 1} U . Let N - let tt € {0, l}' Vx » and define the. one-way permutation 

g(x\ tt) = y N -\ 

3 These reductions can be extended to the important case of regular functions, which 
is more general than permutations but still not the general case. A function is regular 
if each point in the range of the function has the same number of preimages. 
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where y x = x and, for all i = 2, . . . ,N 9 1, y 2 = 7r s _i © /(y s -_i). 
Theorem 2 : Reduction 2 is a linearly preserving reduction from a s(n)-weak 
one-way permutation / to one-way permutation <j. More precisely, there is an 
oracle algorithm S such that if .4 is an R g {n)- breaking adversary for g(x: ~) then 
S A is a i?/(n)-breaking adversary for s(n)-weak /(V), where R;{n) - 

The proof of Theorem 2 is similar in spirit to the proof of the Theorem 1. We 
only describe the oracle algorithm 5. Suppose that A is an adversary with time 
bound T(n) and success probability 6(n) for g, and thus the achievement ratio is 
. A on input g(x; tt) and tt finds x with probability 6(n) when x €i/ {0, 1}" 
and tt {0, l) jVx ". The oracle machine described below has the property that 
S A inverts / on inputs of length n with probability at least 1 — s(n), where the 
time bound for S A is . The input to S A is f(x) where x £u {0, I}". 

Adversary S A on input /(x) : . 
Repeat f^- } times 

Randomly choose i Gz./ {2 .V + 1}. 

Randomly choose tt {0, 1}- Vxri . 
Let j/i = /(z) 9 tt, _ : . 

Compute y i+; = tt, 9 /(y, )...., y. v + 1 = t ;V 9 f{y N ). 
Compute i' 0 = A[yx + i: z). 

Compute vi = t 0 9 f(v 0 ) = S /Ot-2,)- 

if = /(#) then output x . 




4.2 A linearly preserving reduction using less randomness 

Although Reduction 2 is linearly preserving, it does have the drawback that the 
length of the public random string is rather large, and even worse this length 
depends linearly on the weakness parameter s(n) of the weak one-way function. 
In this subsection, we describe a linearly preserving reduction that uses a much 
shorter public random string. 

The overall structure of the reduction is the same as Reduction 2. The differ- 
ence is that we use many fewer public random strings of length n in a recursive 
way to produce the almost random inputs to /. The reduction is m two steps. 
In the first step we describe a linearly preserving reduction from a s(n)-weak 
one-way permutation / to a |-weak one-way permutation g. The second step 
reduces g to a one-way permutation h using the construction given in Reduction 
2. 

Reduction 3 : Let f(x) be a s(n)- weak one-way permutation, where x € 
{0, 1}". Let / = [log 3/2 (2/s(n))l and let N = 2'. Let it <E {0, l}' xn . Define 

gix-.Kx) 8 /(*)). 

For all i — 2, . . . , / , recursively define 



<}) = 9(*i £f(*;jqi i-i});^! 
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Theorem 3 : Reduction 3 is a linearly preserving reduction from a s(n)- 
weak one-way permutation f(x) to i-weak one-way permutation g(x:,Tr). More 
precisely, there is an oracle algorithm S such that if A is an R g (n)-breaking 
adversary for ^-weak g(x\/x) then S A is a Rf (n)-breaking adversary for s(n)- 
weak /, where R f (n) = Zj&p-. 

The final step in the reduction is to go from weak one-way permutation g with 
weakness parameter ^ to a one-way permutation h using Reduction 2, except 
now g has weakness parameter \ and uses a public random string of length 
m = 0(n log( l/s(rt)). Thus, when using Reduction 2 to go from g to h, we set 
<V = \og(l / R g (n)) < n and partition the public random string into A ,r blocks of 
length n + m. Thus, the overall reduction uses 0(n 2 log( l/s(n))) public random 

bits, as opposed to O {^j^j for Reduction 2. It is not hard to verify that the 
overall reduction from / to h is linearly preserving. 

4.3 A linearly preserving reduction using expander graphs 

The work described in [1] gives a polynomially preserving reduction from a weak 
one-way permutation to a one-way permutation that uses only a linear amount of 
public randomness. As briefly described below, their reduction can be modified 
in minor ways to yield a linearly preserving reduction ijrom a weak one-way 
permutation / to a one-way permutation h that uses only a linear number of 
public random bits overall. 

As in Reduction 3. the reduction is in two steps: The first step is a linearly 
preserving reduction from a s(n)-weak one-way permutation / to a ^-weak one- 
way permutation g and the second step reduces g to a one-way permutation h. 
As in Reduction 3, the first step is recursive and uses 0(Iog(s(ri)) independent 
public random strings, but they are each of constant length instead of length n. 
The idea is to define a constant degree expander graph with vertex set {0, 
and then each string is used to select a random edge out of a vertex in the 
expander graph. The second step is iterative, but uses only an additional O(n) 
public random bits. These 0(n) public random bits are used to define a random 
walk of length O(n) on a related expander graph. 

The overall number of public random bits used in the entire reduction ^from / 
to h is only linear. The way [1] describes the reduction, the one-way permutation 
/ is applied to inputs of different lengths (all within a constant multiplicative 
factor of each other) to yield h. For this reason, as they describe their reduction it 
is only polynomially preserving, even with respect to the new definitions. Minor 
modifications to their reduction yields an alternative reduction where all inputs 
to / are of the same length as the private input to h. It can be shown that the 
alternative reduction with respect to the new definitions is linearly preserving. 
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Abstract. This paper determines an exact relationship between colli- 
sion-free hash, functions and other cryptographic primitives. Namely, it 
introduces a new concept, the pseudo-permutation, and shows that the 
existence of collision-free hash functions is equivalent to the existence 
of claw-free pairs of pseudo-permutations. When considered as one bit 
contractors (functions from k + 1 bits to k bits), the collision-free hash 
functions constructed are more efficient than those proposed originally, 
requiring a single (claw-free) function evaluation rather than k. 

1 Introduction 

Hash functions with various cryptographic properties have been studied exten- 
sively, especially with respect to signing algorithms (see [2, 3, 4, 10, 12, 14, 15]). 
We focus on the most natural of these functions, the collision-free hash func- 
tions. A hash function h is collision-free if it is hard for any efficient algorithm, 
given h and 1*, to find a pair (x, y) so that \x\ = \y\ = k and h(x) = h(y). These 
functions were first carefully studied by Damgard in [2]. Given the interest in 
these functions, we would like to determine necessary and sufficient conditions 
for their existence in terms of other, simpler, cryptographic machinery. 

There has been recent attention to the minimal logical requirements for other 
cryptographic primitives. Rompel (in [12]), improving a construction of Naor and 
Yung (in [10]), shows that the existence of secure digital signing systems (in the 
sense of [5]) is equivalent to the existence of one-way functions. Impagliazzo, 
Levin, and Luby (in [7]) and Hastad (in [6]) demonstrate the equivalence of the 
existence of pseudo-random number generators (see [1, 13]) and the existence of 
one-way functions. 

Damgard (in [2]), distilling arguments of Goldwasser, Micali, and Rivest (in 
[5]), shows that the existence of another cryptographic primitive, a claw-free 
pair of permutations, is sufficient to construct collision-free hash functions. A 
pair of permutations (/, g) is claw-free if it is hard for any efficient algorithm, 
given (/, g) and 1*, to find a pair (x,y) so that |x| = \y\ = k and f{x) = 

* Supported by a NSF Graduate Fellowship 
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g(y). Comparing the definitions of collision-free hash functions and claw-free 
pairs of permutations, it seems unlikely that the existence of claw-free pairs 
of permutations is necessary for the existence of collision-free hash functions 
because the hash functions have no explicit structural properties that reflect 
the condition of permutativity in the claw-free pairs of permutations. Our paper 
relaxes this condition of permutativity and defines a natural object, the existence 
of which is necessary and sufficient for the existence of a family of collision-free 
hash functions. 

We define a new concept, the pseudo-permutaiion. A function / : S — ► S is a 
pseudo-permutation if it is computationally indistinguishable from a permuta- 
tion. For this "indistinguishability" we require that it be hard for any efficient 
algorithm, given the function / and 1*, to compute a quickly verifiable proof of 
non-injectivity, i.e. a pair (x,y) where |x| = \y\ = k,x ^ y, and f(x) = f(y). 
The main contribution of our paper is that the existence of a collection of claw- 
free pairs of pseudo-permutations is equivalent to the existence of a collection 
of collision-free hash functions. This fact shows that nontrivial "claw-freeness" 
is essential to collision-free hashing and also weakens the assumptions necessary 
for their existence. 

In §2 we describe our notation and define some cryptographic machinery. 
In §3 we present our main theorem. In §4 we consider the efficiency of our 
construction. Finally, in §5, we discuss an open problem and the motivation for 
this research. 

2 Notation and Definitions 

We adopt the following class of expected polynomial time Turing machines as 
our standard class of "efficient algorithms" (see [9] for a precise definition and 
discussion of this class). 

Definition 1. Let £A, our class of efficient algorithms, be the class of prob- 
abilistic Turing machines (with output) running in expected polynomial time. 
We consider these machines to compute probability distributions over 17* . For 
M € SA we use the notation M[w] to denote both the probability space defined 
by M on w over E* and an element selected according to this space. 

For simplicity, let us fix a two letter alphabet E — {0, 1}. The consequences 
of a larger alphabet will be discussed in §4. l k denotes the concatenation of k Vs. 
Q[x] denotes the class of polynomials over the rationals. Borrowing notation from 
[4], if S is a probability space, x <— S denotes the assignment of x according to 
S. If p(xi, . . . , xt) is a predicate, then Pr[xi <— Si, . . . , Xk +— Sjt ■ p(xi, • ■ • , Xk)\ 
denotes the probability that p will be true after the ordered assignment of x\ 
through Xk- 

Definition2. A collection of claw-free functions is a collection of function 
tuples {(/?,# )|i 6 1} for some index set ICE* where // : E^ -* E^ and: 
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CF1. [accessibility] there exists a generating algorithm G £ £A so that G[l n ] 6 

{o,i}"n/. 

CF2. [efficient compvtability] there exists an computing algorithm C € £A so that 

for i elje {0, 1}, and x e 27**» , C[i, i, x] = //(*). 
CF3. [claw-freedom] for a]] claw finding algorithms A € £-4, VP 6 Q[ar], 3£ 0 , 

V* > i 0 , 

Pr[i - G[l*], (*, y) - ^[i] : //>(*) = < 

If Z 1 ) is a member of a collection of claw-free pairs, then (/°, f 1 ) is called 
a claw-free pair and a pair (x, y) so that /°(z) = / : (y) i s called a claw of '(/° , f l ) . 

This definition, from a cryptographic perspective, requires nothing of the 
function pairs involved unless they have overlapping images. One way to require 
that the functions have overlapping images is to require that the functions be 
permutations. This yields the following object, originally defined in [5] and then 
in this form by [2]. 

Definition 3. A collection of claw-free permutations is a collection of claw 
free functions {(/,° , € 7} where each f\ is a permutation. 

Although the intractability of certain number theoretic problems implies the 
existence of a collection of claw- free pairs of permutations 2 , the existence of 
one-way permutations is not known to be enough. 3 

Definition4. A collection of pseudo-permutations is a collection of func- 
tions {fi\i <E 7} for some index set ICE' where /,• : E^ -* E^ and: 

tpPl. [accessibility] there exists a generating algorithm G € £A so that G[l n ] € 

{0, i}"n/. 

t/>P2. [efficient compulabihty] there exists a computing algorithm C € £A so that 

for i e I and x € & i] ,C[i, x] = /.(x). 
r{/P3. [collapse freedom] for all collapse finding algorithms A € £A, VP € Q[x], 

3k 0 , Vi > k 0 

Pr[f - G[l k ],(x, y) - A[{\ : /,•(*) = My) A^y]<^ 

If a function / is a member of a collection of pseudo-permutations it is 
called a pseudo-permutation and a pair (x,y) where f(x) — f(y) and x ^ y 
is called a collapse of /. Property ?/>P3 means that it is hard for an efficient 
algorithm to produce a quickly verifiable proof that / is not a permutation. In 
the definition above, this proof is specifically required to be a proof of non- 
injectivity: a collapse. One might also prove that a function / : S — ► S is 

2 In [5] the intractability of factoring is shown to be sufficient. In [2], the construction of 
[5] is extended and the intractability of the discrete log is also shown to be sufficient. 

3 [11] discusses algebraic forms of one way permutations sufficient for claw-free 
permutations. 
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not a permutation by producing a proof of non-surjectivity: an element in 5 — 
Im/. We require the former because of the difference in computational resources 
necessary to verify these proofs: a proof of non-injectivity may be verified with 
two function applications whereas a proof of non-surjectivity requires evaluation 
of / at every point in the domain. Like the definition for claw-free functions, 
the above definition requires nothing cryptographically of the functions involved 
unless |Im /, | < |Dom /,|. If the functions in the collection are injective, then 
^>P3 is vacuously true. 

Pseudo-permutations are a reasonable replacement for permutations in a 
cryptographic setting; for example, the entire signing algorithm of Naor and 
Yung (in [10]) may be implemented with one-way 4 pseudo-permutations rather 
than one-way permutations. 

Definitions. A collection of claw-free pseudo-permutations is a collec- 
tion of claw-free functions {(/?, f>)\i 6 /} so that both {/P|t € /} and {ft \i G /} 
are collections of pseudo-permutations. 

Collections of claw-free pseudo-permutations gather their cryptographic 
structure from the tension between two otherwise weak definitions. If the pseudo- 
permutations lack cryptographic richness (so that they are very close to permu- 
tations) then the intersection of their images must be large and there must be 
many claws, imparting richness by virtue of claw-freedom. If, instead, the pair 
has few claws, then the images of the two functions must be nearly disjoint (and 
so, small) so that the functions themselves are cryptographically rich by virtue 
of their many collapses. 

3 The Structure of Collision-Free Hash Functions 

Definition6. A collection of collision-free hash functions is a collection 
of functions {hi\i € /} for some index set I C 27* where h, : -+ and: 

HI. [accessibility] there exists a generating algorithm G E SA so that G[l n ] G 
{0, 1}" n /. 

H2. [efficient compuiability] there exists a computing algorithm C G £A so that 

for i e /, and w G £W+\ C[i, w] = /»,(u>). 
H3. [collision-freedom] for all collision generating algorithms A G £A,VP G 

Q[x],3k 0 ,Vk > k 0 

Pr[i «- <?[1*], (x, y) <- A[i\ : /»,-(*) = M») A * # v] < p^) 

If h is a member of a collection of collision-free hash functions then h is called 
a collision-free hash function and a pair (x,y) where h(x) = h(y) and x ^ y is 
called a collision of h. 



This is a. collection of pseudo-permutations which ate hard to invert in the sense of 
one-way functions. 
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The notion of a polynomial separator will be used in the following proof. For 
the purposes of this paper, a separator is a pair of bijections from E k into E k+1 
so that their images have no intersection. (Because \E\ — 2, their images cover 
E k+l .) 

Definition 7. A collection of polynomial separators is a collection of func- 
tion pairs £ 1} for some index set ICS* where <r{ : E^ -* 
for j e {0,1} and: 

PS1- [accessibility] there exists a generating algorithm G £ SA so that G[l n ] £ 

{0,1}" n I. 
PS2. [injectivity] cr? and cr\ are injective. 
PS3. [disjointness] im cr° Pi im <r\ = 0 

PS4. [efficient computability] there exists a computing algorithm C £ £.4 so that 
for i£ I,w€ E^, and j € {0, 1}, C[i, j, w] - ojiw). 

With each such collection, we associate a collection of inverses {i,} where 
H : — <■ and 4i o a - ? = i, ° f ,■ = idn.i and a collection of image deciders 
{Si} where 6 { : E^ + { -+ {0, 1} and Vw £ E^+\wS ima. ,(w) . 

The collection is said to have a polynomial inverse if the collection of 
inverses is so that 3C t £ £A,Vw £ E^ + 1 yi £ I,C t [w,i] = ^(ia-)- If a collec- 
tion is so endowed, then it is clear that the image deciders are also efficiently 
computable. 

Construction of a family of polynomial separators with a polynomial inverse 
is easy: the append^ : x >-* xQ and append\ : x >■ zl functions, for example. 

Theorem 8. There exists a collection of collision-free hash functions iff there 
exists a collection of claw-free pairs of pseudo-permutations. 

Proof. (=>) Let {hi\i £ /} be a collection of collision- free hash functions and let 
{(^i,<r})\i £ /} be a collection of polynomial separators (unrelated to the hash 
functions, but over the same index set). Define the collection {(/,°,//)|« £ -0 so 
that 

fl =h t oa\ for j£ {0,1} 

We show that the collection of functions so defined is a collection of claw- 
free pseudo-permutations. Properties CF1 and CF2 are immediate. Assume that 
property CF3 does not hold, that is 3 A £ SA, 3P £ Q[x], Wk 0 , 3k > k 0 , 

Pr[i - G[l fc ], (*, y) _ A[{] : /°(z) = f}(y)} > ^ 

Let ( x ,y) be a claw for (/?,#), then /P(i) = //(y) =► /.,(*?(*)) - MWfo)). 
but imof Rimer* = 0 so that 0f(x) ^ c,- (y) and a collision has been found for 
hi. Then, given this claw generating algorithm A we can construct a collision 
generating algorithm A' succeeding with identical probability as A, violating H3. 
Therefore, CF3 holds. 
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To show that {ff\i € /} for each j € {0,1} are collections of pseudo- 
permutations, we verify properties ?/>Pl - ^>P3 for each. tpVl and ^/>P2 are im- 
mediate. Suppose, for contradiction, that property ^P3 is not satisfied, so that 
(3j € {0, 1},) 3.4 G €A,3P € Q[x],Vk 0 ,3k > k 0 



Pr[t G[l fc ], (*, y) - A[i] : // (*) = // (y)] > 1 



P(fc) 



Let (x,y) be a collapse of //, so that // (x) = fj(y) and x ^ y. Then <r-(x) ^ 
<r-(y) because is injective, so that (o J i (x),<r J i (y)) is a nontrivial collision of 
hi (because // = A,- o aj). Then, given this collapse generating algorithm A 
we can construct a collision generating algorithm A' succeeding with identical 
probability as A, violating H3. Therefore, ipP3 holds. 

(<s=) Let {(fi,fl)\i 6 7} be a collection of claw-free pairs of pseudo- 
permutations and let {(crf,crj)\i £ J} be a collection of polynomial separat- 
ors with inverses {t,-|i 6 1} and image deciders {<5,|i € /}. Then define {hi\i £ 1} 
so that 

h i {x) = f^' ) {L i (x)) 

We show that {hi\i £ 1} is a collection of collision-free hash functions. Properties 
HI and H2 are immediate. Assume, for contradiction, that property H3 is not 
satisfied, that is 3A 6 £A, 3P € Q[x], V& 0 , 3* > k 0 

Pr[i - G[l% (x, y) - A[i] : = A f -(y) A x # y] > 1 



P(*) 

so that V<fc 0 , 3k > fc 0 

Pr[» - G[l*], (x, y) - A\i] : A,-(x) = ft,(y) A^yA 6<(x) = 6,(y)] > ^) V 

Pr[i - G[l*],(x,y) - ^[i] : ^(x) = %)A^ y A^x) £ S;(y)] > 

and we encounter at least one of two possibilities: 
1. Vfco, 3k > k 0 

1 



Pr[i - G[l*], (x, y) - : ft,-(x) - /i,(y) A x ^ y A fc(x) = ^(y)] > 



2P(Jfc) 
2. Vfco, 3fc > 

Pr[i «- G[l*], (x, y) - A[i\ : /i,(x) = /^(y) A x # y A &(x) 5* 6<(y)] > 
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In the event of 1 above, the algorithm A generates collisions (x,y) where 
6i(x) = 6i(x). In this case, for at least one j G {0, l},VJfc 0 , 3A: > k 0 

Pr[t - G[l k ], (x, y) <- A[i] : hi(x) = hdy) A x £ y A j = = S^y)} > 

Given a collision of this sort, /i,(x) = hi(y) => //(x) = f\ (y) which is a collapse 
of /• . Then, given algorithm A, we may produce another algorithm A' which 
produces a collapse of fj with success related to the success of A by a constant, 
violating ipP3. 

In the event of 2 above, the algorithm A generates collisions (x,y) where 
6i(y) ^ 6i(x). A collision of this sort produces a claw because hi(x) = h{(y) =>■ 
f*^ x \ii(x)) = // l(s,) (ii(j/)). Then, with algorithm A, we may construct a claw 
generating algorithm A' which produces claws with success related to the success 
of A by a constant, violating CF3. 

A pair of separators partitions E h+1 into two equal sized subsets (the images 
of the separators). We couple the definition of collision-free hash functions with 
the definition of polynomial separators to define a class of hash functions where 
every collision occurs across the partition boundary — then h(x) = h(y) implies 
that x and y are in the images of different separators. 

Definition 9. A collection of separated collision-free hash functions is 

a collection of function tuples {{hi, of, a\ )\i £ 1} so that G 1} forms a 

collection of collision-free hash functions, {(0f,<r*)|i £ /} forms a collection of 
polynomial separators, and 

SH. [separation] Vj £ {0.1}, hi\. , , the restriction of hi to im cxf , is bijec- 
tive. Equivalently, /i,-(x) = hi(y) => <5;(x) ^ 6i{y), where {<5,-|i G /} is the 
collection of image deciders for the separators. 

The existence of a collection of separated collision-free hash functions is 
equivalent to the existence of a collection of claw-free pairs of permutations. 

Theorem 10. There exists a collection of claw-free permutations iff there exists 
a collection of separated collision-free hash functions. 

Proof. This proof is omitted due its similarity with the previous proof. 

The collision-free hash functions constructed in the two theorems above nat- 
urally inherit properties from the primitives with which they are constructed. 
If, for example, the claw-free pairs of (pseudo-) permutations are trapdoor func- 
tions, then the hash functions constructed share this property. It is not clear 
that the original hash functions constructed in [2] offer inheritance of this sort. 

Toshiya Itoh [8] has pointed out that in the above constructions, the demand 
of claw-freedom can be replaced in an appropriate way with the demand of 
"distinction intractibility" as discussed in [14]. 
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It is not hard to show that by composition the above collections of hash 
functions can be used to construct families of collision-free hash functions {hi : 
i £ 1} where hi : Z p W) — ZjW for any polynomial P e Q[x] where Vx £ 
N,P{x) > x. 

4 Comments on Efficiency 

The (<£=) part of theorem 8 constructs a family of collision-free hash functions 
which are one bit contractors (functions from £ k+l to E k ) and require 1 claw- 
free function evaluation to compute. Building a family of contractors by applying 
the construction in [2] yields hash functions which require ifc evaluations of the 
underlying claw-free functions. For the case of one-bit contractors, then, the 
above construction is substantially more efficient. 

In general, to construct hash functions from E P W to E k (for a polynomial 
P) one can do better than naive composition. Using arguments similar to those 
of Damgard in [2], the construction above can be altered to yield hash functions 
from E p ( k ) to E k which require P(k) — k evaluations of the underlying claw-free 
functions on k bit arguments. The collection constructed in [2] of the same sort 
requires P(k) evaluations, so the efficiency improvement in this case is only an 
additive factor of k. 

In [2], Damgard shows that expanding the size of the alphabet (and us- 
ing claw-free tuples of functions) can reduce the number of required claw-free 
function evaluations by a multiplicative constant factor. This same procedure is 
applicable to our above construction. 

5 An Open Problem 

The motivation for this research is the following open problem: Is the existence of 
one-way functions sufficient for the existence of collision-free hash functions? We 
believe this to be the case, and that this paper represents a step towards proving 
this goal by demonstrating the equivalence between collision-free hashing and a 
primitive not requiring pure cryptographic permutativity. 

6 Acknowledgements 

We gratefully acknowledge the keen guidance of Silvio Micali, who originally 
suggested this problem. We also acknowledge Ravi Sundaram for several helpful 
discussions. 

References 

1. Manual Blum and Silvio Micali. How to generate cryptographically strong se- 
quences of pseudo-random bits. SIAM Journal of Computing, 13(4):850-864, 
November 1984. 



441 



2. Ivan Damgard. Collision free hash functions and public key signature schemes. 
In Proceedings of EUROCRYPT '87, volume 304 of Lecture Notes in Computer 
Science, pages 203-216, Berlin, 1988. Springer- Verlag. 

3. Alfredo De Santis and Moti Yung. On the design of provably-secure cryptographic 
hash functions. In Proceedings of EUROCRYPT '90, volume 473 of Lecture Notes 
in Computer Science, pages 412 - 431, Berlin, 1990. Springer- Verlag. 

4. Oded Goldreich, Shaft Goldwasser, and Silvio Micali. How to construct random 
functions. Journal of the Association for Computing Machinery, 33(4):792-807, 
October 1986. 

5. Shafi Goldwasser, Silvio Micali, and Ronald L. Rivest. A digital signature scheme 
secure against adaptive chosen- message attack. SI AM Journal of Computing, 
17(2):281-308, April 1988. 

6. J. Hastad. Pseudo-random generators under uniform assumptions. In Proceedings 
of the Twenty Second Annual ACM Symposium on Theory of Computing, pages 
395-404. ACM, 1990. 

7. Russell Impagliazzo, Leonid A. Levin, and Michael Luby. Pseudo-random gener- 
ation from one-way functions. In Proceedings of the Twenty First Annual ACM 
Symposium on Theory of Computing, pages 12-24. ACM, 1989. 

8. Toshiya Itoh. Personal comminucation, August 1992. 

9. Leonid A. Levin. Average case complete problems. S1AM Journal on Computing, 
15:285-286, 1986. 

10. M. Naor and M. Yung. Universal one-way hash functions and their cryptographic 
applications. In Proceedings of the Twenty First Annual ACM Symposium on 
Theory of Computing, pages 33-43. ACM, 1989. 

11. Wakaha Ogata and Kaoru Kurosawa. On claw free families. In Proceedings of 
ASIACRYPT '91, 1991. 

12. John Rompel. One-way functions are necessary and sufficient for secure signa- 
tures. In Proceedings of the Twenty Second Annual ACM Symposium on Theory 
of Computing, pages 387-394. ACM, 1990. 

13. A. Yao. Theory and applications of trapdoor functions. In Proceedings of the 
Twenty Third IEEE Symposium on Foundations of Computer Science, pages 80- 
91. IEEE, 1982. 

14. Yuliang Zheng, Tsutomu Matsumoto, and Hideki Imai. Duality between two cryp- 
tographic primitives. In Proceedings of the Eighth International Conference on 
Applied Algebra, Algebraic Algorithms and Error- Correcting Codes, volume 508 of 
Lecture Notes in Computer Science, pages 379-390, Berlin, 1990. Springer- Verlag. 

15. Yuliang Zheng, Tsutomu Matsumoto, and Hideki Imai. Structural properties of 
one-way hash functions. In Proceedings of CRYPTO '90, volume 537 of Lecture 
Notes in Computer Science, pages 285-302, Berlin, 1990. Springer- Verlag. 



Certifying Cryptographic Tools: The Case of 
Trapdoor Permutations 



Mihir Bellare 1 and Moti Yung 2 

1 High Performance Computing and Communications, IBM T.J. Watson Research 
Centex, PO Box 704, Yorktown Heights, NY 10598. e-mail: mihir8watson.ibm.com. 

2 IBM Research, IBM T.J. Watson Research Center, PO Box 704, Yorktown Heights, 
NY 10598. e-mail: moti9watson.ibni.com. 

Abstract. In cryptographic protocols it is often necessary to verify/ 
certify the "tools" in use. This woik demonstrates certain subtleties in 
treating a family of trapdoor permutations in this context, noting the 
necessity to "check" certain properties of these functions. The particular 
case we illustrate is that of non-interactive zero- knowledge. We point out 
that the elegant recent protocol of Feige, Lapidot and Shamir for proving 
NP statements in non-interactive zero-knowledge requires an additional 
certification of the underlying trapdoor permutation, and suggest a cer- 
tification method to fill this gap. 

1 Introduction 

Primitives such as the RSA function, the discrete log function, or, more generally, 
any trapdoor or one-way function, have applications over and above the "direct" 
ones to public-key cryptography. Namely, they are also (widely) used as "tools" 
in the construction of (often complex) cryptographic protocols. 

This paper points to the fact that in this second kind of application, some 
care must be exercised in the manner in which the "tool" is used. Checks might 
be necessary that are not necessary in public-key applications. 

The need for such checks arises from the need to consider adverserial behavior 
of parties in a cryptographic protocol. Typically, the problem is that one cannot 
trust a party to "correctly" create the tool in question. For example, suppose a 
party A is supposed to give another party B a modulus JV product of two primes, 
and an RSA exponent e, to specify an RSA function. On receipt of a number JV 
and an exponent e, it might be important that the receiver know that e is indeed 
an RSA exponent (i.e. relatively prime to the Euler Phi Function of N). This 
is because the use of RSA in the protocol might be such that making e not an 
RSA exponent could give A an advantage (such applications do exist). Such a 
problem is not present in public-key applications, where, if I wish, for example, 
to construct a digital signature scheme based on RSA, I put in my public file a 
modulus N (which I have chosen to be the product of two primes) and an RSA 
exponent e (and I keep secret the primes). The question of my choosing e to not 
be an RSA exponent does not arise because it is not to my advantage to do so. 

Protocols address this issue in several ways. Often, they incorporate addi- 
tional sub-protocols which "certify" that the "tool" used is indeed "correct." 

E.F. Bnckell (Ed.): Advances in Cryptology - CRYPTO '92, LNCS 740, pp. 442-460, 1993. 
© Sponger- Verlag Berlin Heidelberg 1993 
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In applications, these sub-protocols usually need to be zero-knowledge ones. In 
most applications, such sub-protocols may be simply realized, by using, say, the 
result of [GMW]. But we note that this is not always the case. For example (cf. 
[BMO]), if we are trying to construct statistical ZK proofs, then we cannot use 
[GMW] to certify the tools because the latter yields only computational ZK. 
The issue must then be settled by other means. 

Sometimes, we note, the issue does not arise; this is the case, for example, if 
the tool is a one-way function, because a one-way function is a single object, a 
map from {0, 1}* to {0, 1}*, specified by a string known to everyone. At other 
times, stronger assumptions about the primitive might be made. An example 
of this is the use, m protocols, of the "certified discrete log assumption (as 
opposed to the usual "discrete log assumption"). 

The particular instance of this issue that we focus on in this paper is the use 
of trapdoor permutations in non-interactive zero-knowledge (NIZK) proofs. We 
point out that the elegant recent NIZK protocol of Feige, Lapidot and Shamir 
[FLS] makes the (implicit) assumption that the trapdoor permutation is "cer- 
tified." We note that this assumption is not valid for standard (conjectured) 
trapdoor permutations like RSA or those of [BBS] (and so their protocol cannot 
be instantiated with any known (conjectured) trapdoor permutation). We sug- 
gest a certification method to fill this gap (so that any trapdoor permutation 
truly suffices, and RSA or the construction of [BBS] may be used). Our certifi- 
cation method involves a NIZK proof that a function is "almost" a permutation, 
and might be of independent interest. 

Below we begin by recalling the notions of trapdoor permutations and NIZK 
proofs. We then discuss the FLS protocol and indicate the source of the problem. 
We then, briefly, discuss our solution. Later sections specify the definitions and 
our solution in more detail. 

1.1 Trapdoor Permutations 

Let us begin by recalling, in some detail, the definition of a trapdoor permutation 
generator (cf. [BeMi]), and seeing what it means for such a generator to be 
certified. 

A trapdoor permutation generator is a triplet of polynomial time algorithms 
(G,E,I) called the generating, evaluating, and inverting algorithms, respec- 
tively. The generating algorithm is probabilistic, and on input 1" outputs a pair 
of n-bit strings (/*,/*), describing, respectively, a trapdoor permutation and its 
inverse. If x, y are n-bit strings, then so are E(f* , x) and /(/*, y)- Moreover, the 
maps /,/: {0, l} n -» {0, l} n specified by f{x) = E{f* ,x) and f{y) = I(f ,y) 
are permutations of {0, l} n , and / = Finally, / is "hard to invert" without 
knowledge of /. (We refer the reader to §2.2 for more precise definitions). 

Fix a trapdoor permutation generator {G, E,I). We call an n-bit string /* 
a trapdoor permutation if there exists some n-bit string /* such that the pair 
(/*)/*) nas a non-zero probability of being obtained when we run G on input l n . 
It is important to note that not every n-bit string /* is a trapdoor permutation. 
In fact, the set of n-bit strings which are trapdoor permutations may be a very 
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sparse subset of {0, 1}", and perhaps not even recognizable in polynomial time. 
If it is recognizable in polynomial time, we say the generator is certified (that 
is, the trapdoor permutation generator (G, E, I) is said to be certified if there 
exists a polynomial time algorithm which, on input a string /*, outputs 1 iff /* 
is a trapdoor permutation). 

We note that certification is a lot to ask for. Consider our two main (con- 
jectured) examples of trapdoor permutation generators: RSA [RSA], and the 
factoring based generator of Blum, Blum and Shub [BBS]. Neither is likely to 
be certified. This is because, in both cases, certification would need the ability 
to recognize in polynomial time the class of integers which are a product of 
(exactly) two (distinct) primes. 

The importance of certification arises, as will see, from the use of trapdoor 
permutations as "tools" in protocols. Typically, one party (for example, the 
prover) gives the other party (for example, the verifier) a string /* which is 
supposed to be a trapdoor permutation. For security reasons he may not wish 
to reveal (as proof that it is indeed one) the string /*, but may nonetheless 
need to convince the verifier that /* is indeed a trapdoor permutation. This 
is clearly easy if the underlying generator is certified. If the generator is not 
certified, the protocol itself must address the task of giving suitable conviction 
that /* is really a trapdoor permutation. In interactive protocols this is usually 
(but not necessarily always!) easy. As we will see, the issue is more complex in 
the non-interactive case. 

1.2 Non- Interactive Zero-Knowledge Proofs 

The setting we focus on in this paper is that of non-interactive zero-knowledge 
(NIZK) proof systems. NIZK is an important notion for cryptographic systems 
and protocols which was introduced by Blum, Feldman, and Micali [BFM] and 
Blum, De Santis, Micali and Persiano [BDMP]. There are numerous applications. 
In particular, Naor and Yung show how to use NIZK proofs to implement public- 
key cryptosystems secure against chosen-ciphertext attack [NaYu], and Bellare 
and Goldwasser present a novel paradigm for digital signatures based on NIZK 
proofs [BeGo]. 

The model is as follows. The prover and verifier have a common input w and 
also share a random string (of length polynomial in the length of w). We call this 
string the reference string, and usually denote it by a. The prover must convince 
the verifier of the membership of w in some fixed underlying NP language L. To 
this end, the prover is allowed to send the verifier a single message, computed 
as a function of w and a (in the case where w £ L, we also give the prover, as 
an auxiliary input, a witness to the membership of w in L). We usually denote 
this message by p. The verifier (who is polynomial time) decides whether or not 
to accept as a function of w,a and p. We ask that there exist a prover who 
can convince the verifier to accept w € L, for all random strings a (this is the 
completeness condition). We ask that for any prover, the probability (over the 
choice of a) that the verifier may be convinced to accept when w L is small 
(this is the soundness condition). Finally, we ask the the proof provided by the 



445 



prover of the completeness condition (in the case w € L) be zero-knowledge, 
by requiring the existence of an appropriate "simulator." For a more complete 
specification of what it means to be a NIZK proof system, we refer the reader 
to §2.3. 

We will focus here on protocols with efficient provers. That is, we want the 
prover of the completeness condition (we call it the "honest" prover) to run in 
polynomial (in n — \w\) time. 

We note that we are considering what are called "single-theorem" or 
"bounded" NIZK proof systems. The primitive of importance in applications is 
the "many-theorem" proof system (cf. [BFM, BDMP]). However, the former is 
known to imply the latter, given the existence of one-way functions [DeYu, FLS]. 
So we may, wlog, stick to the former. 

1.3 The Need for Certification in the FLS Protocol 

Feige, Lapidot and Shamir [FLS] recently presented an elegant NIZK proof sys- 
tem based on the existence of trapdoor permutations. The assumption, implicit 
in their analysis, is that the underlying trapdoor permutation generator is certi- 
fied. Here we indicate whence arises the need for this certification. Once we have 
identified the source of the problem, we will discuss how we propose to solve it. 

Let L be a language in NP, and let (G,E,I) be a trapdoor permutation 
generator. Fix a common input w G {0, 1}", and let a denote the reference 
string. We will describe how the prover and verifier are instructed to operate 
under the FLS protocol. First, however, we need some background and some 
notation. 

First, note that even if /* is not a trapdoor permutation, we may assume, 
wlog, that E(f',x) is n-bits long. Thus, /* does specify (via E) a map from 
{0, 1}" to {0, l} n \ specifically, the map given by x i-> E{f*,x). We call this map 
the function specified by /" under E, and will denote it by /. Of course, if /* is 
a trapdoor permutation then / is a permutation. 

If z and r are n-bit strings then H(x, r) denotes the dot product, over GF(2), 
of x and r (more precisely, H(x, r) = 0" =1 £zn)- The theorem of Goldreich 
and Levin [GoLe] says that if is a "hard-core" predicate for (G,E,I). Very 
informally, this means the following. Suppose we run G (on input l n ) to get 
(/*>/*), select x and r at random from {0, l} n , and let y = f(x). Then, given y 
and r, the task of predicting H(x, r), and the task of finding x, are equally hard. 

We are now ready to describe the protocol. 

The protocol first asks that the prover P run G on input 1" to obtain a pair 
(/*,/*)- P is then instructed to send /* to V (while keeping /* to himself). 

And the problem is right here, in this first step. The analysis of [FLS] assumes 
that the prover performs this step correctly. This may be justified under the 
assumption that the trapdoor permutation generator is certified. If the generator 
is not certified, a cheating prover could, when w £ L, select, and send to the 
verifier, an n-bit string which is not a trapdoor permutation. As we will see, this 
could compromise the soundness of the protocol. Let us proceed. 
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Once the prover has supplied /* , the reference string is regarded as a sequence 
f = y\fi ■ ■ - y\Ti of I blocks of size 2n, where I = l(n) is a (suitable) polynomial 
(block i consists of the pair of n bit strings yir,). We say that the prover "opens 
block i with value if he provides the verifier with an n-bit string x t such that 
f(xi) — y% and H(xi,Ti) — b t . The prover now opens certain blocks of the random 
string (and the protocol specifies how an honest prover should choose which 
blocks to open). Based on the values of the opened blocks, their relative locations 
in the reference string, and the common input, the verifier decides whether or not 
to accept. Exactly how he does this is not relevant to our discussion. Exactly how 
the honest prover is supposed to decide which blocks to open (which he does as 
a function of the block, the common input, and his witness to the membership of 
the common input in L) is also not relevant to our discussion. What is important 
to note is that the soundness condition relies on the assumption that, with /* 
fixed, there exists a unique way to open any given block. If it is possible for the 
prover to open a block with value either 0 or 1, then the soundness of the FLS 
protocol is compromised. 

The assumption that there is (one and) only one way to open a block is 
justified if/* is a trapdoor permutation, because, in this case, / is a permutation. 
However, if /* is not a trapdoor permutation, then / may not be a permutation, 
and in such a case, the possibility exists that blocks may be opened with values 
of the prover's choice. 

We note that the gap is not an academic one. Considering concrete cases, such 
as the use of RSA or the trapdoor permutations based on quadratic residuosity 
that are suggested by [BBS], we see that the prover may indeed cheat. 

The solution that first suggests itself is that the prover prove (in NIZK) 
that he really got / by running the generator G (this is an NP statement). The 
problem is, however, that to prove this new statement itself requires the use of 
a trapdoor permutation, and we are only chasing our tail. 

We note that the whole problem would not arise if we were using a one-way 
permutation (rather than a trapdoor one) because, as we said above, a one-way 
permutation is a single object which both parties know a priori. Yet for the sake 
of maintaining the efficiency of the prover, we cannot use one-way permutations. 

Remark. Note that in the above NIZK proof, a (cheating) prover may choose /* 
as a function of the random string. But, as pointed out in [FLS], this causes no 
difficulties. We may assume, in the analysis, that the reference string is chosen 
after /* is fixed; later we apply a simple transformation which results in the 
proof system being secure even if /* was chosen as a function of a. We will deal 
with this issue explicitly when it arises. 

1.4 Our Solution 

Let /* denote the n-bit string provided by the prover in the first step of the FLS 
protocol, as described above. As that discussion indicates, soundness does not 
really require that / be a trapdoor permutation. All that it requires is that / be 
a permutation. So it would suffice to certify this fact. 
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To certify that a map from {0, 1}" to {0, 1}" is a permutation seems like a 
hard task (it is a coNP statement). What we will do is certify it is "almost" a 
permutation, and then show that this suffices. 

More precisely, let us call / an e-permutation if at most an e fraction of 
the points in {0, 1}" have more than one pre-image under /. We show that 
on common input /* , and access to a common (random) reference string of 
length e _1 ■ n, the prover can provide the verifier with a non-interactive, zero- 
knowledge proof that that / is an e-permutation. For a more precise statement 
of the theorem and its proof we refer the reader to §3. 

We then show that adding this step to augment a multitude of independent 
FLS protocol instances yields a NIZK proof system (for any NP language) given 
the existence of any (not necessarily certified) trapdoor permutation generator. 
A complete proof of this fact is in §4. We note that this proof is in fact quite 
independent of the details of the FLS protocol and can be understood without 
a deep knowledge of the techniques of that paper. 

2 Preliminaries 

We begin by summarizing some basic notation and conventions which are used 
throughout the paper. We then discuss trapdoor permutations and say what it 
means for them to be "certified." Finally, we recall the definition, and some basic 
properties, of non-interactive zero-knowledge proof systems. 

2.1 Notation and Conventions 

We use the notation and conventions for probabilistic algorithms that originated 
in [GMR]. 

We emphasize the number of inputs received by an algorithm as follows. If 
algorithm A receives only one input we write " /!(•)"; if it receives two we write 
a A(-, •)", and so on. If A is a probabilistic algorithm then, for any input i the 
notation A(i) refers to the probability space which to the string a assigns the 
probability that A, on input i, outputs a. 

If 5 is a probability space we denote its support (the set of elements of 
positive probability) by [S]. 

If /(■) and g(-, ■ ■ ■) are probabilistic algorithms then /(<?(-, • • ■)) is the proba- 
bilistic algorithm obtained by composing / and g (i.e. running / on g's output). 
For any inputs x, y, . . . the associated probability space is denoted f(g(x, y, ■ ■ ■)). 

If 5 is a probability space then x S denotes the algorithm which assigns 
to x an element randomly selected according to 5. In the case that [S] consists 
of only one element e we might also write x *— e. 

For probability spaces S, T, . . ., the notation 

Pr [p(x, y, •••) : x £- S ; y^-T; ••• 

denotes the probability that the predicate p(x, y, • ■ •) is true after the (ordered) 
execution of the algorithms x +~ 5, y £■ T, etc. 
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Let / be a function. The notation 

{f(x,y,--.) :x£-S; y^T; •■■} 
denotes the probability space which to the string a assigns the probability 

Pr[(7 = /(a:,y 1 ..-) : x £- S ; y^-T; •■• . 

When we say that a function is computable in polynomial time, we mean 
computable in time polynomial in the length of its first argument. 

We will be interested in families of efficiently computable functions of polyno- 
mial description. The following definition will be a convenient way of capturing 
them. 

Definition 1. Let E(-,-) be a polynomial time computable function. We say 
that E specifies an efficiently computable family of functions if for each n > 0 and 
each f*,x e {0, l} n it is the case that \E(f* , a:)| = n. Let n > 0 and /* G {0, l} n . 
The function specified by /* under E is the map from {0, l} n to {0, l} n given by 
x t— ► E(f* , x). 

2.2 Trapdoor Permutations and Certified Ones 

Let us present a precise definition of trapdoor permutations and see what it 
means for them to be "certified."' The definition that follows is from Bellare and 
Micali [BeMi]. 

Definition2. (Trapdoor Permutation Generator) Let G be a probabilistic, poly- 
nomial time algorithm, and let E, I be polynomial time algorithms. We say that 
(G,E,I) is a trapdoor permutation generator if the following conditions hold: 

■ Generation: For every n > 0, the output of G on input 1" is a pair of n bit 
strings. 

• Permutation: For every n > 0 and (/*,/*) G [G{r)\, the maps E(f* , •) and 
/(/* , ■) are permutations of {0, l} n which are inverses of each other (that is, 
I(f* , E(f',x)) = x and E{f , /(/* ,y)) = y for all x, y G {0, if). 

• Security: For all probabilistic polynomial time (adversary) algorithms A(-, •, •), 
for all constants c and sufficiently large n, it is the case that 

P*[E(r,x) = y : (/',/•) A G(l n ); y {0, l} n ; x A A(l n , f , y) ' 

is at most n~ c . 

We call G, E, I the generating, evaluating and inverting algorithms, respectively. 

The standard (conjectured) "trapdoor permutations," such as RSA [RSA] and 
the factoring based ones of Blum, Blum and Shub [BBS], do fit this definition, 
after some minor transformations (the need for these transformations arises from 
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the fact that these number theoretic functions have domain Z* N rather than 
{0, we refer the reader to [BeMi] for details). 

If a trapdoor permutation generator (G, E, I) is fixed and (/*, /*) € [G(l™)] 
for some n > 0, then, in informal discussion, we call /* a trapdoor permutation. 
It is important to note that not every n bit string /* is a trapdoor permutation: 
it is only one if there exists some /* such that (/*,/*) € [G{l n )]. In fact, the 
set of (n bit strings which are) trapdoor permutations may be a fairly sparse 
subset of {0, l} n , and, in general, may not be recognizable in polynomial (in n) 
time. If a trapdoor permutation generator does have the special property that 
it is possible to recognize a trapdoor permutation in polynomial time then we 
say that this generator is certified. The more formal definition follows. 

Definition3. Let (G, E,I) be a trapdoor permutation generator. We say that 
(G, E, I) is certified if the language 

L g ,e,i = Un>i{ /* G {0, l} n : 3f € {0, 1}" such that (/*,/*) 6 [G(l n )] } 
is in BPP. 

We note that standard (conjectured) trapdoor permutation generators are (prob- 
ably) not certified. In particular, RSA is (probably) not certified, and nor is the 
trapdoor permutation generator of Blum, Blum and Shub [BBS]. This is because, 
in both these cases, the (description of) the trapdoor permutation /* includes a 
number which is a product of two primes, and there is (probably) no polynomial 
time procedure to test whether or not a number is a product of two primes. 

The importance of certification stems, as we have seen, from applications in 
which one party (for example, the prover) gives the other party (for example, the 
verifier) a string /* which is supposed to be a trapdoor permutation. For secu- 
rity reasons he may not wish to reveal (as proof that it is indeed one) the string 
/*, but may nonetheless need to convince the verifier that /* is indeed a trap- 
door permutation. In particular, the (implicit) assumption in [FLS] is that the 
trapdoor permutation generator being used is certified. As the above indicates, 
this means that their scheme cannot be instantiated with RSA or the trapdoor 
permutations of [BBS]. In later sections we will show how to extend their scheme 
so that any (not necessarily certified) trapdoor permutation generator suffices 
(so that RSA or the generator of [BBS] may in fact be used). 

We note that if (G, E, I) is a trapdoor permutation generator, /* £ {0, l} n , 
and x € {0, l} n then we may assume, without loss of generality, that E(f*,x) 
is an n-bit string. Hence E(f* , ■) does specify some map from {0, l} n to {0, l} n , 
even if /* is not a trapdoor permutation. That is, in the terminology of 
Definition 1, we may assume, without loss of generality, that the algorithm 
E specifies an efficiently computable family of functions. Of course, the map 
E(f, •) need not be a permutation on {0, l} n . 

2.3 Non-Interactive Zero-knowledge Proof Systems 

We will consider non-interactive zero-knowledge proof systems for NP. It is help- 
ful to begin with the following terminology. 
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Definition-!. Let /?(-,-) be a binary relation. We say that p is an NP-relation 
if it is polynomial time computable and, moreover, there exists a polynomial p 
such that p(w, u>) — 1 implies \w\ < p[\w\). For any w G {0, 1}* we let p{w) = 
{ w G {0, 1}* : p(w, w) = 1 } denote the witness set of w. We let L fi = { w G 
{0, 1}* : p(w) / 0 } denote the language defined by p. A witness selector for p is 
a map W : h p — > {0, 1}* with the property that W(w) G p(w) for each w G L p . 

Note that a language L is in NP iff there exists an NP-relation p such that 
L = L p . 

We recall the definition of computational indistinguishability of ensembles. 
First, recall that a function 6: {0, 1}* — ► R is negligible if for every constant d 
there exists an integer rid such that <5(u>) < |u>j~ d for all w of length at least n^. 

Definition5. An ensemble indexed by L C {0, 1}* is a collection {E(w)} w£ l of 
probability spaces (of finite support), one for each w G L. Let E\ — {Ei(w)} w ^l 
and £2 = {i?2(w)}w6L be ensembles over a common index set L. We say that 
they are (computationally) indistinguishable if fcr every family {D w } w ^l of non- 
uniform, polynomial time algorithms, the function 

D w (v) = 1 : v 
is negligible. 

The definition that follows is based on that of Blum, De Santis, Micali and 
Persiano [BDMP]. However, we state the zero- knowledge condition differently; 
specifically, we use the notion of a witness selector to state the zero-knowledge 
condition in terms of the standard notion of computational indistinguishability, 
whereas in [BDMP] the zero-knowledge condition makes explicit reference to 
"distinguishing" algorithms. The two formulations are, of course, equivalent (but 
we feel this one is a little simpler because of its "modularity.") 

Definition 6. Let p be an NP-relation and let L = L p . Let P be a machine, V 
a polynomial time machine, and 5 a probabilistic, polynomial time machine. We 
say that (P, V, S) defines a non-interactive zero-knowledge proof system (NIZK 
proof system) for p if there exists a polynomial i(-) such that the following three 
conditions hold. 



w 



Pr D w (v) = 1 



Ei(w) 



Completeness: For every w G L and w G p{w), 



Pr 



V(w, a,p).l:^{0, ; p - P{w, w, <j) 



= 1 , 



where n = \w\ 



Soundness: For every machine P and every w ^ L, 



Pr 



V(w,a,p) = 1 : ^£{0, p<-P(w,<r) 



< 



where n — \w\. 
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• Zero-knowledge: Let W be any witness selector for p. Then the following two 
ensembles are (computationally) indistinguishable: 

(1) {SHW 

(2) { (cr, p) : <7 £- {0, 1}«H) ; p _ P ( Wi W ( w)t a) }w( . L . 

We call P the prover, V the verifier and 5 the simulator. The polynomial I is the 
length of the reference string. We say that P is efficient if it is polynomial time 
computable. 

We call cr the "common random string" or the "reference string." 

The choice of 1/2 as the error-probability in the soundness condition is not 
essential. Given any polynomial fc(-), the error-probability can be reduced to 
2~-k(n) ^ runn i n g £( n ) independent copies of the original proof system in parallel 
and accepting iff all sub-proofs are accepting. 

A stronger definition (cf. [BDMP]) asks that in the soundness condition the 
adversary P be allowed to select au^iasa function of the reference string. 
This definition is, however, implied by the one above. More precisely, given 
(JP, V, S) satisfying the above definition, one can construct (P', V , 5") satisfying 
the more stringent definition, by a standard trick. Hence, we will stick to the 
simple definition. 

We note we are considering what have been called "single-theorem" or 
"bounded" NIZK proof systems. That is, the given reference string can be used 
to prove only a single theorem. The primitive of importance in applications (cf. 
[BeGo, NaYu]) is the "many-theorem" proof system. However, De Santis and 
Yung [DeYu], and Feige, Lapidot and Shamir [FLS], have shown that the exis- 
tence (for some NP-complete relation) of a bounded NIZK proof system with an 
efficient prover implies the existence (for any NP-relation) of a many-theorem 
NIZK proof system (with an efficient prover), as long as one-way functions ex- 
ist. Hence, given that the (bounded) NIZK proof systems we construct do have 
efficient provers, we may, without loss of generality, stick to the bounded case. 

3 A NIZK Proof that a Map is Almost a Permutation 

Suppose E specifies an efficiently computable family of functions (cf. 
Definition 1), and suppose /* £ {0, l} n for some n > 0. We address in this 
section the problem of providing a NIZK proof that the function specified by /* 
under E is "almost" a permutation. 

We note that although this problem is motivated by the need to fill the gap 
in the FLS protocol (cf. §1.3), the results of this section might be of interest in 
their own right. Thus, we prefer to view them independently, and will make the 
link to [FLS] in the next section. 

In addressing the task of providing a NIZK proof that the function specified 
by /* under E is "almost" a permutation, we must begin by clarifying two things. 
First, we need to say what it means for a function /: {0, 1}" — ► {0, 1}" to be 
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"almost" a permutation. Our definition, of an e-permutation, follows. Second, 
we must also say what we mean, in this context, by an NIZK proof (because the 
problem is not one of language membership). This is clarified below and in the 
statement of Theorem 8. 

Let us begin with the definition. It says that / is an e permutation if at most 
an e fraction of the points in {0, l} n have more than one pre-image (under /). 
More formally, we have the following. 

Definition?. Let n > 0 and /: {0, l} n -> {0, l} n . The collision set of /, denoted 
C(/), is { V S {0, l} n : \f' l (y)\ > 1 }. Let e G [0, 1], We call / an e-permutation 
if \C(f)\ < e2 n . 

We will now turn to the NIZK proof. The formal statement and proof of the 
theorem follow. Let us begin, however, by saying, informally, what we achieve, 
and giving the idea. 

We fix E specifying an efficiently computable family of functions, and we 
fix a map e: {0, 1}* — » (0, 1]. We consider a prover and verifier who share a 
(random) reference string and have as common input a string /* £ {0, l} r \ If 
/ (the function specified by / * under E) is a permutation then the prover can 
convince the verifier to accept (this is the completeness condition). If / is not 
an e(n)-permutation, then the verifier will usually reject (this is the soundness 
condition). 

We note the gap between these two conditions: we are guaranteed nothing if 
/ is an e(n)-permutation (but not a permutation). This is one way in which this 
"proof system" differs from proofs of language membership, where there are only 
two possibilities: either the input is in the language (and completeness applies) 
or it is not (and soundness applies). 

In addition, when / is a permutation, the interaction yields no (extra) knowl- 
edge to the verifier. This is formalized, as usual, by requiring the existence of an 
appropriate "simulator." 

The idea is very simply stated. Let a be the reference string, which we think 
of as divided into blocks of size n. If / is not an e(n)-permutation, then each 
block has probability at most 1 — e(n) of being in the range of /. So if we ask 
the prover to provide the inverse of / on e _1 (n) different blocks, then he can 
succeed with probability at most (1 — e(n)) £ < 1/2. Moreover, a collection 
of pre-images of / on random points provide no information about (the easily 
computed) /, so the proof is zero-knowledge. 

Theorem8. Lei E specify an efficiently computable family of functions. Let 
e: i\l — * (0, 1], and assume is polynomially bounded and polynomial time 
computable. Then there is a polynomial time oracle machine A, a polynomial 
time machine B , and a probabilistic, polynomial time machine M such that the 
following three conditions hold. 

• Completeness: Let n > 0 and f* 6 {0, l} n . Let f denote the function specified 
by f* under E. Suppose f is a permutation. Then 



Pr 



= 1 • 
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Here A* denotes A with oracle f 1 . 

Soundness: Let n > 0 and f* £ {0, l} n . Let f denote the function specified 
by f* under E. Suppose f is not a c(n) -permutation. Then for any function 
P, 



Pr [s(/' lff , P )= 1 : ff( l{0,l} f »'»;^P(/' 1 ") 



< I 



• Zero-knowledge: Let n > 0 area! /* £ {0, 1}™. Let f denote the function spec- 
ified by f* under E , and suppose f is a permutation. Then the distributions 
M{P) and{(cr,p) : cr A {0, ; p «_ ^"'(/".cr) } are equal. 

Proof: We specify the algorithm for verifier. Let /* £ {0, l} n and let a — 
en ■ ■ .c e -i( n ) where each <n has length n. Let / denote the function specified by 
/' under E. On input f ,a, and a string p, the verifier B rejects if the length 
of p is not e _1 (n) ■ n. Otherwise, it partitions p into consecutive blocks of size n. 
We denote the i-th block by p,_, so that p = p 1 . . .p t — i( n ). Then £ accepts iff for 
each i = e" it is the case that /( Pi ) = cr l . 

Next we specify the prover A. Let /* £ {0, l} n and let <j = <xi . . . f e -i(„) where 
each has length n. Let / denote the function specified by /* under E, and 
suppose / is a permutation. On input /* and cr, and given f~ l as oracle, A 
sets p, = f~ 1 (cr l ) for each i = 1, . . . , e" 1 (n). It then sets p = p 1 . . .p e -i( n ) and 
outputs p. It is easy to see that the completeness condition is true. 

We now check the soundness condition. Let /* £ {0, l} n and let / denote the 
function specified by /* under E. We recall that C(f) = {y £ {0, l} n : \f' 1 {y)\ > 
1 } is the collision set of /. Let D(f) = { y t {0, l} n : = 0 } be the 

set of n bit strings not in the range of /. Note that \D(f)\ > |C(/)j. We let 

6(n) — |£>(/)j/2 n denote the density of D(f). Now assume / is not a c(n)- 
permutation. Then \C(f)\ > e(n)2", and thus 6(n) > e(n). For any fixed string 
cr — <j\ . . . c f -i(„), the following are clearly equivalent: 

• There exists a string p such that B(f* ,o~,p) = 1 

t For each i = 1, . . . , e _1 ( n ) it is the case that cjj is in the range of /. 

However, if cr is chosen at random, then for each i — 1, . . . , e" 1 (n), the probability 
that <Ti is in the range of / is at most 1 — <5(n), independently for each i. So for 
any P, 
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B(f' , cr, p) = 1 : a £ {0, l} f " ("^ ; p - P(/' , a) < [1 - *( 



n 



l6 - l (n) 



<[l-«(»)] ,-1(n) 



We now specify M. Let /* £ {0, l} n and let / denote the function specified 
by /* under E. Suppose / is a permutation. On input /*, the machine M 
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picks ri, . . . , T e -i(n) € {0, l} 71 at random and sets cr, : = /(7i), for each i = 
1, . . . ,e _1 (n). It sets p — ti . , . r £ -i( n ) and outputs (cr, p). The zero-knowledge is 
easy to check. | 

We note that, in the above, we are thinking of /* as being the common input, 
and the reference string is chosen at random independently of /* . Of course, 
in our application, the prover may choose /* as a function of the reference 
string. This, however, is easily dealt with by a standard trick, and so, for the 
moment, we focus on the case presented here. When we put everything together 
(cf. Theorem 12) we will return to this issue and show explicitly how to deal 
with it, given what we establish here. 

We note also that no cryptographic assumptions were needed for the above 
proof, and the zero-knowledge is "perfect." 

4 Using the Certification Procedure 

In this section we show how the certification procedure of Theorem 8 can be 
combined with the results of [FLS] to yield a NIZK proof system for any NP- 
relation. We stress that the argument we present here depends little on the 
specifics of the protocol of [FLS], and our proof does not presume familiarity with 
that paper. We begin by extending Definition 7 with the following terminology. 

Definition9. Let n > 0 and /: {0, 1}" -> {0, 1}". Let a = a t . . . a, for some 
/ 6 N, where each a,; has length n. We say that a is /-bad if there is an i € 
{1, . . ., 1} such that ai £ C(/). We denote by C\(f) the set of all Zn-bit strings 
which are /-bad. 

We now state, without proof, a lemma which can be derived from [FLS]. The 
formal statement follows, but, since it is rather long, let us first try to give an 
informal explanation of what it says. 

Briefly, we show how to "measure 1 ' 1 the "additional" error incurred by the 
[FLS] protocol in the case that the function being used is not a permutation. 
More precisely, we fix a trapdoor permutation generator (G,E,I) and an NP- 
relation p. In order to make explicit the role played by the function used in the 
proof, we consider an interaction in which the common input is a pair (w. /*) 

of n-bit strings. The prover wishes to convince the verifier that w £ L d = L fi , 
using /* as a "tool." We do not, a priori, know whether or not /* is a trapdoor 
permutation. 

The completeness condition (below) says that if w € L, then, assuming /* 
really is a trapdoor permutation, the prover can convince the verifier that w 6 L. 
Moreover, the zero-knowledge condition says this proof is zero-knowledge. The 
part we are really concerned with, however, is the soundness condition. 

The soundness condition says that if w L then the probability that a 
prover can convince the verifier to accept is bounded by a small error (1/4) plus 
a quantity that depends on /* . Specifically, this quantity is the probability that 
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the reference string is /-bad (cf. Definition 9), where / is the function specified 
by /* under E. 

A priori, this quantity may be large. Once we have stated the lemma, we will 
show how to use the results of the previous section to decrease it. 

Lemma 10. Let (G, E,I) be a trapdoor permutation generator. Let p be an NP- 
relation, and let L = L p . Then there exists a polynomial time machine A, a 
polynomial time machine B, a probabilistic, polynomial time machine M , and a 
polynomial /(•) such that the following three conditions hold. 

• Completeness: For every w £ L, every w £ p{w), and every (/*,/*) £ 
[G(l n )], 



Pr 



B(w } a,f\p) = l : a£{0,l} I(n) - n ; p^A{w^,aJ\f 



where n— \w\. 

• Soundness: For every machine P , every w L, and every f* £ {0, l} 71 , 

Pr \B{w,*J\p) = 1 : a A {0, l}'( n )- n ; p «- P(u>,<7, /* 
< |+Pr [<rGC, (n) (/) : a {0, 

where n = \w\ and f denotes the function specified by /* under E. 

• Zero-knowledge: Let W be any witness selector for p. Then the following two 
ensembles are (computationally) indistinguishable: 

(1) {(aj\p) : (/*,/*) £- G(1 H ) ; (<r,p) A M{w, f\ f ) Uf_L 

(2) {( ff ,f,p); ff i{fl,l}WW; (r,/*)-G(lH); 



We note that the statement of the above lemma makes no explicit reference 
to the methods underlying the proof of [FLS]. Our previous discussions should 
indicate whence, in the light of the [FLS] protocol, arises the "extra" term in the 
soundness condition, but this is not relevant to the present discussion: everything 
we need is captured by the statement of the lemma (and we refer the reader to 
[FLS] for its proof). 

We now show how to remove this extra /* dependent term in the soundness 
condition by having the prover certify (using the proof system of Theorem 8) 
that / is almost a permutation. The lemma that follows provides the formal 
statement and proof, but let us first say, informally, what is happening. 

On common input (w, /*), we have the prover give the proof of Lemma 10, 
and also, using a separate part of the reference string, run the procedure of 
Theorem 8. The verifier accepts iff both of these proofs are accepted (by their 
respective verifiers). The completeness and zero-knowledge conditions stay the 
same as in Lemma 10 (except that the reference string is longer, indicated by 
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using a different symbol for its length); clearly, this is because the additional 
proof cannot hurt them. The soundness condition, however, now becomes more 
like a "real" soundness condition in that the "extra" term of Lemma 10 has 
disappeared. 

In the proof of the new soundness condition, we will have to consider two 
cases. First, we assume that / is "almost" a permutation, and show that in 
this case the "extra" term from the soundness condition of Lemma 10 is small. 
Second, we assume that / is not "almost" a permutation, and use the fact that 
we are guaranteed rejection (with high probability) by the soundness condition 
of Theorem 8. 

Lemma 11. Let (G, E, I) be a trapdoor permutation generator. Let p be an NP- 
relation and let L = L p . Then there exists a polynomial time machine A', a 
polynomial time machine B' , a probabilistic, polynomial time machine M' , and 
a polynomial m(-) such that the following three conditions hold. 



Completeness: For every w £ L, every w £ p(w), and every (/*,/*) £ 
[G(l")], 

Pr [B'(w,<T,r,p) = 1 : at-{Q,l} m W- n ; p ^- A(w, w, a, f* , f*)] = 1, 
where n — \w\. 

• Soundness: For every machine P , every w L, and every f* £ {0, l} n , 

Pr [b'K<t,/',p)= 1 : a {0, l} m(n)-n ; p - P(u/, a, /* ) ] < f, 

where n = |u>| . 

• Zero-knowledge: Let W be any witness selector for p. Then the following two 
ensembles are (computationally) indistinguishable: 

(1) {(a./'.p) :(/*,/*) -G(lW); (<r,p) A M(w, f* , f ) W 

(2) {(o-,f\p) :a £ {0, 1}™(M)» ; (/*,/•)£ G (lH) ; 
p^ A(w,W(w),a, f\r)}wZL. 

Proof: Let A, B,M be the machines, and I the polynomial, specified by 
Lemma 10. Let e(-) = l/(4/(-)). We apply Theorem 8 (with the algorithm E be- 
ing the evaluating algorithm of our trapdoor family) to get a triplet of machines 
A, B, M satisfying the conditions of that theorem. We let m(-) = e -1 (-) + /(•) = 
5f(-). 

Notation: If a is a string of length m(n) -n, then cr[l] denotes the first e _1 (n)-n = 
4/(n) • n bits and a[2\ denotes the last /(n) • n bits. 

We now specify the algorithm for the verifier B' . Let /* £ {0, l} n and let cr be 
a string of length m(n) • n. On input /* , a, and a string p, the verifier B rejects 
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if |pj < e • n. Otherwise, it accepts if and only if 

B(r,<7[l],p[l])=l and B{w,a[2],r,p[2]) = l, 

where p[l] denotes the first e~ l (n) ■ n bits of p and p[2] denotes the rest. 

Next we specify A'. Let w G L and w G p(w). Let n = |u>|. Let_(/*, /*) G [G(l n )]. 
Let (7 be a string of length m(n) • n. On input w,w,cr, f* , f* , the machine 4' 
sets p[l] = A f (/* ,ct[1]) (note that A' can obtain this output in polynomial 
time because, using /*, it can compute / _l in polynomial time). It then sets 
p[2] - A{w, w, cr[2], /*, /*). Finally it sets p = p[l]p[2] and outputs p. The fact 
that the completeness condition holds follows from the respective completeness 
conditions of Lemma 10 and Theorem 8. 

Now for the interesting part, namely the soundness condition. Suppose w L. 
Let n = \w \ and let /* £ {0, l} n . Let / denote the function specified by /* under 
E. We split the proof into two cases. 

Case 1: f is a e(n)-permutation. 

By assumption, |C(/)| < e(n)2 n . So 

Pr [ct[2] G C l{n) (f) : a[2] A {0, l} 1 ^^ < e (n)l(n) = \ . 

By the soundness condition of Lemma 10 it follows that for every machine P, 
Pr [B(w,<r,f\p[2]) = 1 : a[2] - {0, l} 1 ^ ; p[2] - P(w, a, f ) ] 

— 4 T 4 

_ 1 

— 2 • 

The soundness condition follows from the definition of B' . Let us proceed to the 
next case. 

Case 2: f is not a e(n)-permutation. 

The soundness condition of Theorem 8 implies that for any function P, 
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B(r,a{l},p[l})=l : <r[l] A {0, ir" l (">- ; p P(f* ,*[!]) 



The soundness condition then follows directly from the definition of B 1 . This 
completes the proof of the soundness condition. 

The zero-knowledge, again, follows immediately from Lemma 10 and Theorem 8. 
Let w E L and let n = \w\. Let (/*,/*) G [G(l n )]. On input w,f'J\ machine 
M' runs M on input /* to get an output (<j[l], p[l]). It then runs M on input 
w, f*,f* to get an output (<t[2], p[2]). It sets a = cx[l]cr[2] and p = p[l]p[2] and 
outputs (c,p). | 



One more step is needed to derive from Lemma 11 the existence of NIZK proof 
systems for any NP-relation (given the existence of a trapdoor permutation 
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generator). Namely, the interaction must be on input w (alone); the prover must 
be allowed to select /* (which in Lemma 11 is part of the common input) not 
only as a function of u> but also as a function of the reference string. Clearly, in 
the completeness condition, we may simply ask the prover to select /* by running 
the generation algorithm G. Any problems that arise will be in the soundness 
condition, where a cheating prover will take full advantage of the freedom to 
choose /* as a function of the reference string. 

For w L, we may use the following "trick" (a standard probabilistic one, 
used, for the same purpose, in [BDMP] and [FLS]). For each fixed /* G {0, 1}", 
we reduce the probability that the verifier accepts the interaction on inputs 
(w, f*) to 2~( n+1 \ by parallel repetition. It follows that the probability that 
there exists a string /* £ {0, 1}" such that the verifier accepts on input (iu, /*) 
is at most 2 n ■ 2-< n+1 > = 1/2. Details are below. 



Theorem 12. Let p he an NP-relation. Suppose there exists a trapdoor permuta- 
tion generator. Then p possesses a non-interactive zero-knowledge proof system 
with an efficient prover. 

Proof: Let [G,E,I) be a trapdoor permutation generator. Let A' , B' , M' be 
the machines, and m the polynomial, specified by Lemma 11. Let /(n) = m(n) ■ 
n(n + 1). We construct P, V, S satisfying the conditions of Definition 6. 

Notation: If cr is a string of length l(n) then we think of it as partitioned into n+ 1 
blocks, each of length m(n)-n, and denote the i-th block by cr[i] (i = 1, . . . , n+l). 

We may assume, without loss of generality, that there is a polynomial t such 
that B'(w, •, -,p) = 1 only if |p| = t(\w\). Let L — L p . We specify V. Let w 6 L 
and cr G {0, On input w, a,p, machine V rejects if \p\ ^ n + (n + l)t(n). 
Otherwise, it sets /* to the first n bits of p and p' to the rest. It further sets 
p'[i] to the i-th f (n)-bit block of p' (i = 1, . . . , n + 1). Now V accepts iff for each 
i — 1, . . . , n + 1 it is the case that B'(w, f* , p'[i]) — 1. 

We now specify P. Let w G L and w 6 p(w). Let n - \w\, and let a G 
{0,1}^"). P runs G to obcain a (random) pair (/*,/*) £ [G(l n )]. It sets p'[i] = 
A'(w,w,cr[i}, f, f*) for i = l,...,n+ 1, and sets p' = p[l] . . .p[n + 1]. Finally 
it sets p = f*.p' ("." denotes concatenation) and outputs p. The completeness 
condition (as required by Definition 6) follows from the completeness condition 
of Lemma 11. 



Next we check the soundness condition. Suppose w L. Let n — \w\ and let 
/* € {0,l} n . Let a £ {0, l}'( n >. We say that cr is /*-bad if there exists an 
i e {1, ...,n+l} and a string q G {0, l}'( n) such that B'(w,a[i], f*,q) = 1. The 
soundness condition of Lemma 1 1 implies that 



Pr a is /'-bad : a 
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Now let us say that a string a G {0, l} 1 '") is bad if there exists an n-bit string 
/* such that a is /"-bad. It follows that 

Pr \a is bad : a 4- {0,l}^ n) l < T ■ 2~^ +1 ^ = \ . 



This implies the soundness condition (as required by Definition 6). 

Finally, we specify the simulator. Let w 6 L and let n = \w\. On input w, the 
simulator S runs G on input 1" to obtain a (random) pair (/*,/*) G [(?(!")]■ 
For i — 1, . . ., n + 1 it runs M' on input w, /*, /* to get an output (<r[i], p'[i})- 
It sets a = cr[l] . . .cr[n + 1] and p 1 = p'[l] . . .p'[n + 1]. It then sets p = f*.p' and 
outputs (<7, p). The zero-knowledge (as required by Definition 6) can be argued 
based on the zero-knowledge condition of Lemma 11. We omit the details. | 



In particular, NIZK proof systems are constructible based on RSA. 
Combining Theorem 12 with the result of [NaYu] yields the following. 

Corollary 13. Suppose there exists a trapdoor permutation generator. Then there 
exists an encryption scheme secure against chosen-ciphertext attack. 

Similarly, combining Theorem 12 with the result of [BeGo] yields the following. 

Corollary 14. Suppose there exists a trapdoor permutation generator. Then there 
exists an implementation of the signature scheme of [BeGo], 
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Abstract. Consider the following scenario: Alice and Bob, two parties who 
share no secret key initially but whose goal it is to generate a (large amount of) 
information-theoretically secure (or unconditionally secure) shared secret key, 
are connected only by an insecure public channel to which an eavesdropper Eve 
has perfect (read) access. Moreover, there exists a satelite broadcasting random 
bits at a very low signal power. Alice and Bob can receive these bits with certain 
bit error probabilities t\ and eg, respectively (e.g. ( A = eg — 30%) while Eve is 
assumed to receive the same bits much more reliably with bit error probability 
t-E <C £a,£b (e.g. = 1%). The errors on the three channels are assumed to 
occur at least partially independently. Practical protocols are discussed by which 
Alice and Bob can generate a secret key despite the facts that Eve possesses more 
information than both of them and is assumed to have unlimited computational 
resources as well as complete knowledge of the protocols. 

The described scenario is a special case of a much more general setup in which 
Alice, Bob and Eve are assumed to know random variables X, Y and Z jointly 
distributed according to some probability distribution Pxyz, respectively. The 
results of this paper suggest to build cryptographic systems that are provably 
secure against enemies with unlimited computing power under realistic assump- 
tions about the partial independence of the noise on the involved communication 
channels. 
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1. Introduction 

One of the fundamental problems in cryptography is the. transmission of a 
message M from a sender (referred to as Alice) to a receiver (Bob) over an 
insecure communication channel such that an enemy (Eve) with access to this 
channel is unable to obtain useful information about M. 

In the classical model of a cryptosystem introduced by Shannon [9], Eve has 
perfect access to the insecure channel; thus she is assumed to receive an identical 
copy of the ciphertext C received by the legitimate receiver Bob, where C is 
obtained as a function of the plaintext message Af and a secret key K shared by 
Alice and Bob. Shannon defined a cipher system to be perfect if the ciphertext 
is statistically independent of the plaintext or, in information-theoretic terms, if 
the ciphertext gives no information about the plaintext: 

I(M;C) = 0. 

When a perfect cipher is used to encrypt a message M, an enemy can do no 
better than guess M without even looking at the ciphertext C. 

It is assumed that the reader is familiar with the fundamentals of information 
theory, in particular with the entropy H(X) of a random variable X. the condi- 
tional entropy of A' given Y, H(X\Y), and the mutual information between X 
and y defined as I(X: Y) = H(X)-H(X\Y). We refer to [4] for an introduction 
to information theory. 

Shannon gave as a simple example of a perfect cipher the well-known one- 
time pad which is completely impractical for most applications where only a 
short secret key is available. Shannon proved the pessimistic result that perfect 
secrecy can be achieved only when the secret key is at least as long as the 
plaintext message or, more precisely, when 

H(K) > H{M). (1) 

Almost all presently-used ciphers are based on Shannon's model but have 
only a short secret key; they can therefore theoretically be broken, for instance 
by an exhaustive key search. The goal of designing such a practical cipher is to 
guarantee that there exists no efficient algorithm for breaking it, for a reasonable 
definition of breaking. However, for no existing cipher can the computational 
security be proved without invoking an unproven intractability hypothesis. 

Perfect secrecy on the other hand is often prejudged as being impractical 
because of Shannon's pessimistic inequality (1). It is one of the goals of this 
paper to relativize this pessimism by pointing out that Shannon's apparently 
innocent assumption that, except for the secret key, the enemy has access to 
precisely the same information as the legitimate receiver, is much more restrictive 
than has generally been realized. 
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The key to perfect secrecy without a shared secret key K satisfying (1) 
is to modify Shannon's model such that the enemy cannot receive precisely 
(albeit almost) the same information as the legitimate receiver. Two previous 
approaches based on this idea are quantum cryptography introduced by Wiesner 
and put forward by Bennett, Brassard ei at. [1], and Maurer's randomized cipher 
[7] which makes use of a public random string that is too long to be read entirely 
in feasible time. Both these approaches are impractical at present. 

Another approach is due to Wyner [11] and subsequently Csiszar and Korner 
[5] who considered a scenario in which the enemy Eve is assumed to receive 
messages transmitted by the sender Alice over a channel that is noisier than 
the legitimate receiver Bob's channel. The assumption that Eve's channel is 
worse than the main channel is unrealistic in general. The results of this paper 
demonstrate that this unrealistic assumption is unnecessary if Alice and Bob 
can also communicate over a completely insecure public channel. 

In this paper, the broadcast channel scenario is generalized to a scenario 
where Alice, Bob and Eve know random variables X, Y and Z, respectively, 
jointly distributed according to some probability distribution Pxyz, and where 
Alice and Bob can also communicate over a public channel. 

Note that the need for a public channel entails no significant loss of practi- 
cality in a cryptographic context because the channel need not provide secrecy. 
It is assumed, however, that all messages sent over the public channel can be 
received by Eve without error, but that she cannot modify messages or intro- 
duce fraudulent messages without being detected. If this last assumption cannot 
realistically be made, authenticity and data integrity can be ensured by using 
an unconditionally secure authentication scheme, for instance that of [10] based 
on universal hashing, which requires that Alice and Bob share a short secret key 
initially. In this case, the purpose of our protocols is to stretch (rather than to 
generate) a secret key unconditionally securely. Part of the generated key can 
be used for authentication in a subsequent instance of the protocol. 

The use of a public channel by two parties for extracting a secret key from 
an initially shared partially secret string was previously considered by Leung- 
Yan-Cheong [6] and independently by Bennett. Brassard and Robert. [3]. 

This paper is concerned with key distribution as well as encryption. An 
unconditionally secure shared secret key generated by one of our protocols can 
be used as the key sequence in the one-time pad, thus achieving (virtually) 
perfect secrecy of the transmitted messages. 
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2. Secret Key Agreement by Public Discussion 



Consider the following general key agreement problem. Assume that Alice. 
Bob and Eve know random variables X, Y and Z, respectively, with joint prob- 
ability distribution Pxyz, and that Eve has no information about A' and Y 
other than through her knowledge of Z. More precisely, I(XY;T\Z) = 0 where 
T summarizes Eve's complete information about the universe. X,Y and Z take 
on values in some finite alphabets X , y and Z, respectively. Alice and Rob share 
no secret key initially (other than possibly a short key required for guarantee- 
ing authenticity and integrity of messages sent over the public channel), but 
are assumed to know Pxyz- In particular, the protocol and the codes used by 
Alice and Bob are known to Eve. Every message communicated between Alice 
and Bob can be intercepted by Eve, but it is assumed that Eve cannot, insert 
fraudulent messages nor modify messages on this public channel without being 
detected. 

Alice and Bob use a protocol in which at each step either Alice sends a 
message to Bob depending on A' and all the messages previously received from 
Bob, or vice versa (with X replaced by Y). Without loss of generality, we 
consider only protocols in which Alice sends messages at odd steps ((?:. C3, . . .) 
and Bob sends messages at even steps [Cn, C.\, . . .)■ Moreover, we can restrict 
the analysis to deterministic protocols since a possible randomizer which Alice's 
and/or Bob's strategy and messages might depend on can be considered as part 
of X and Y", respectively. In other words, Alice and Bob can without loss 
of generality extend their known random variables X and Y, respectively, by 
random bits that are statistically independent of A', Y and Z . At (he <uid of the 
£-step protocol, Alice computes a key 5 as a function of A r and O = [Ci . . . . , c: 
and Bob computes a key S' as a function of Y and C . Their goal is to maximize 
H(S) under the conditions that S and S' agree with very high probability and 
that Eve has very little information about S. More formally, 



Hidir-Kx) = 0 



for odd i, 



H(C l \C , - 1 Y) = 0 



(3) 



for even i. 



HiSlC'X) = 0 



and 



IKS'lC'Y) = 0, 



and it is required that 



P{S ± S'} < e 



(6) 
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and 

I{S;C t Z)<6 (7) 
for some specified (small) 6 and e. 

By Fano's Lemma (cf. [4], p. 156) condition (6) implies that 

H(S\S')<h(e) + e\og 2 (\S\~l) (8) 

where \S\ denotes the number of distinct values that S takes on with non-zero 
probability. Note that H(S\S') -^Oase^O. 

If one requires that P[S ^ S'] - 0 and I(S; C") = 0 (i.e., that e = 0 in (6) 
and 5 — 0 in (7) ) it appears obvious that I(X;Y) is an upper bound on H(S). 
It appears to be similarly obvious that H(S) < I(X;Y\Z) = I{XZ\Y Z) — 
H(Z) because even under the assumption that Alice and Bob could learn Z, 
the remaining information shared by Alice and Bob is an upper bound on the 
information they can share in secrecy. The following theorem, which is proved 
in [8], summarizes these results. 

Theorem 1. For every key agreement protocol satisfying (2)-(5), 
H(S) < I(X;Y\Z) + H{S\S') + I(S;C t Z). 

In particular, 

H(S) < I(X;Y) + H(S\S') + J(5;C). 

The following corollary follows from Theorem 1, inequality (8) and from 
IiS;^) < 7(5: C'Z). It should be pointed out that I{X;Y) < I(X\Y\Z) is 
possible. 

Corollary 2. For every key agreement protocol satisfying (2)-(7), 

H(S) < mm[I(X-Y).l(X;Y\Z)] + 8 + h(e) + (\og ? (\S\-l). 



3. The Secret Key Rate 

In order to be able to prove lower bounds on the achievable size of a key 
shared by Alice and Bob in secrecy we need to make more specific assumptions 
about the distribution Pxyz ■ One natural assumption is that the random exper- 
iment generating XYZ is repeated many times independently: Alice, Bob and 

Eve receive ,Y' V = [Xi , . . . , X N ], Y N = [Y'i Y M ] and Z N = [Z u ...,Zy}, 

respectively, where 

,v 

P x ,vy,v z .v = J~| Px,Y,Z, 
i = \ 
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and where Px.y.z, — Pxyz for 1 < i < N. 

For such a scenario of independent, repetitions of a random experiment, which 
is well motivated by models such as discrete memoryless sources and channels 
previously considered in information theory, the quantity that appears to be of 
most interest from an information-theoretic point of view is defined below. 

Definition. The secret key rate of X andY with respect to Z, denoted S(X\Y\\Z).. 
is the maximum rate at which Alice and Bob can agree on a secret key S while 
keeping the rate at which Eve obtains information arbitrarily small, i.e., it is 
the maximal R such that for every e > 0 there exists a protocol for sufficiently 
large N satisfying (2)-(6) with X and Y replaced by X" and Y N . respectively, 
satisfying 

1/(5;C ( Z' V ) < e, 

and achieving 

jfH(S) >R-e. 

Before deriving lower bounds on S(X\Y\\Z) we state the following theorem, 
which is an immediate consequence of Corollary 2. 

Theorem 3. The secret key rate of X and Y with respect to Z is upper bounded 
by 

S(X:Y\\Z) < mm[f(X;V), I(X\Y\Z)\. 



The following theorem (cf. [8] for a proof) states a nontrivial lower bound on 
the secret key rate. If it is either the case that Eve has less information about 
Y than Alice or, by symmetry, less information about X than Bob. then such a 
difference of information can be exploited. 

Theorem 4. The secret key rate of X and Y with respect to Z is lower bounded 
by 

S(X- Y\\Z) > max[/(V; X) - I(Z; X), I(X; Y) - I(Z: Y)}. 

Theorem 4 demonstrates that the upper bound in Theorem 3 is tight if either 
Pyz\x = Py\x ■ Pz\x or Pxz\y = Px\y ■ Pz\y- The lower bound of Theorem 4 
is not tight in general as will be demonstrated in the next section. In particular, 
the lower bound of Theorem 4 is 0 for the situation described in the abstract 
of the paper. There exist protocols with several rounds of interaction between 
Alice and Bob which are superior to single-round protocols like the one used in 
the proof of Theorem 4 (cf. [8]). 
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4. Binary Symmetric Random Variables 

In this section the case of symmetrically distributed binary random variables 
is considered. One way of generating such a set A", Y, Z is by generating a random 
bit R according to 

Pfl(0) = P*(l) = 1/2 (9) 

and "sending" R over three independent binary symmetric channels C A . Cb and 
Ce with error probabilities c .4, e B and e E , respectively, i.e., Pxvz is defined by 

P X YZ\R = PX\R ■ Py\R Pz\R (10) 

where Px\r(x, r) = 1 — e A if x — r and e A else, Py\r{V- r) = 1 - t B if y — r and 
eg else and Pz\r{ z - r) = 1 — e E it : = r and e E else- 
Consider now an arbitrary probability distribution Pxyz ov< ?r {0, l} 3 satis- 
fying the symmetry condition 

P X Yz(x,y,z) = P XY z(x.y,l) (11) 

for x, y, z £ {0, 1}, where c denotes the complement of a binary variable c. Note 
that condition (11) implies that X,Y and Z are symmetrically distributed. One 
can prove (see [8]) that every set X,Y and Z of random variables satisfying (11) 
and for which not exactly for one of the pairs [A', V], [X, Z] and [Y, Z] the two 
random variables are statistically independent, can be generated according to 
(9) and (10) for some e A ,es and e E . 

As one realistic scenario where X,Y and Z with probability distribution 
Pxyz satisfying (11) are available for two parties and an enemy, consider a 
satellite broadcasting random bits at a very low signal-to-noise ratio such that 
even an enemy Eve with a receiving antenna that is much larger and more 
sophisticated than Alice's and Bob's antenna cannot receive the bits without 
error. Note that Pxyz satisfies the given condition also when the channels 
C A ,C B and Ce are dependent, as one would realistically have to assume. The 
following theorem has been proved in [8]. 

Theorem 5. Lei X.Y and Z be. binary random variables generated according 
to (9) and (10). Then 

S(X;Y\\Z) > ma.x[h(e A +e E -2( A e E ), h{e B +e E -2e B e E )} - h(e A + e B - 2e A e B ). 

The lower bound of Theorem 5 vanishes unless either e A < e E or e B < ce, 
i.e., unless either Alice's or Bob's channel is superior to Eve's channel. It is 
somewhat surprising that even when Eve's channel is much more reliable that 
both Alice's and Bob's channel, secret key agreement is possible. 
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The proof of Theorem 4 in [8] illustrates that by sending X{ + V] over the 
public channel, where Xi is the ith random bit received by Alice and where 
addition is modulo 2, Alice can send the bit V{ over a conceptual broadcast 
channel to Bob and Eve such that Bob receives V{ as if it were sent over a 
cascade of Alice's and Bob's channel (bit error probability £a + € B ~^ € a^b) ar >d 
Eve receives V; as if it were sent over a cascade of Alice's and Eve's channel (bit 
error probability e a + ee — ^a^e)- 

In order to share a secret key with Bob, Alice randomly selects a codeword 
V N from the set of codewords of an appropriate error-correcting code C with 
codewords of length A r and sends it to Bob (and also to Eve) over the described 
conceptual broadcast channel. The key to achieving a positive secret key rate 
even if both (a > £e and eg > eg is for Bob to accept a received word only if 
he can make a very reliable decision about the codeword sent by Alice, i.e., if it 
is very close to some codeword of the code C, i.e., if the Hamming distance to a 
codeword is much smaller than the number of errors correctable by an optimal 
decoder for the code. For each received block Bob announces over the public 
channel whether he accepts or rejects it. 

The key observation in the above protocol is that although Eve receives code- 
words V N more reliably than Bob on the average, her conceptual channel may 
nevertheless be worse (for appropriate choices of a code C and for an appropriate 
reliability decision) than Bob's channel, if one averages only over those instances 
accepted by Bob. Because consecutive uses of the channel are independent, the 
words discarded by Bob are also useless for Eve. 

The special case of a repeat code was considered in [8]. Alice sends each bit 
N times over the conceptual channel, and Bob accepts a received word if and 
only if all the bits are equal. Although this scheme demonstrates that secret key 
agreement is possible even if Ca > ce an< 3 e S > € E, it is extremely inefficient 
when 6e is considerably smaller than both (a and eg. The reason is that in 
order to arrive at a situation where Bob's channel is better than Eve's channel if 
averaged over those instances accepted by Bob. a large block length N must be 
used in which case the probability that no error occurs within a block and thus 
the block is accepted by Bob can be extremely small. It is one of the purposes of 
this paper to describe protocols that are much more efficient than the protocol 
discussed in [8]. 

An important observation towards improving the key agreement rate is that 
several rounds of a protocol as described above can be used by Alice and Bob 
to continuously increase the reliability of the shared string at the expense of 
shrinking it. In a first step, and even in some subsequent steps, it is not required 
that Bob knows Alice's bits more reliably than Eve; it is sufficient that Eve's 
advantage is reduced in every step. Hence using several protocol steps with short 
blocks allows to achieve comparable bit error probabilities for the finally shared 



469 



string as if a long repeat code were used, but with a much larger rate. 

Consider as an example a simple N = 3 repeat code. Bob accepts a received 
block of length 3 if and only if all three bits agree, and announces which blocks 
he accepts. The probability of accepting a block is > 1/4; hence the strings 
held by Alice and Bob are shrunk by this step by at most a factor 12. Alice 
and Bob can use the same step on the resulting string repeatedly, each time 
decreasing its length by at most a factor 12 while increasing the bit agreement 
probability. It is straight-forward to verify that when k steps are used, Bob's 
and Eve's bit error probabilities when guessing the bits of Alice's final string are 
precisely the same as if a repeat code of length 3 fc had been used in t he above 
described basic protocol, but that the expected rate at which random secret key 
bits are extracted is exponentially larger in the new protocol. 

Example. Let e A = ejg = 0.47 and let Eve's channel be 100 times less noisy, 
i.e., have 100 times greater capacity. From 1— ft(eg) = 1 00 • ( 1 — /i(e^i)) we obtain 
€e — 0.2093. A repeat code of length 243 yields bit error probabilities 0.148 and 
0.193 for Bob and Eve, but the probability that a block is accepted by Bob is not 
significantly larger than 2 -242 . On the other hand, 5 consecutive applications 
of the described step with a code of length 3 allow to achieve the same bit error 
probabilities, but only an expected number of at: most 12 5 < 250.000 (actually 
much less) bits are required for generating one bit shared with the mentioned 
bit error probabilities. 

Of course, additional protocol steps are required for exploiting the advantage 
over Eve achieved by this protocol and reducing the bit error probability of the 
final shared string. For example, error correcting codes can be used to remove 
the errors between Alice's and Bob's string, and universal hashing as described 
in [3] can be used to reduce Eve's information. 

It should be pointed out that for given assumed ratios of the noise power on 
the three channels, the signal power is a free parameter; thus e A can be chosen 
arbitrarily. The larger e A , the smaller is the signal power and hence the larger 
can the satelite's bit transmission rate be chosen. 

The use of repeat codes as described above, and more generally of linear 
error-correcting codes, is equivalent to the exchange of parity checks of the stored 
string over the public channel, without generating and encoding random bits, and 
using as a new string some orthogonal parity checks. Reconciliation protocols 
based on the exchange of parity checks were also discussed in [2]. 

A further improvement over the basic use of repeat codes described above is 
for Bob to also accept instances for which a. decision about the bit sent by Alice 
is less reliable than if N identical bits were received. In such a scenario. Bob 
informs Alice (and Eve) about the number of errors he has received in a block, 
assuming that his majority decision is correct. 
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Abstract. A key distribution scheme for dynamic conferences is a method 
by which initially an (off-line) trusted server distributes private individ- 
ual pieces of information to a set of users. Later any group of users of a 
given size (a dynamic conference) is able to compute a common secure 
key. In this paper we study the theory and applications of such per- 
fectly secure systems. In this setting, any group of t users can compute 
a common key by each user computing using only his private piece of 
information and the identities of the other t — 1 group users. Keys are 
secure against coalitions of up to k users, that is, even if k users pool 
together their pieces they cannot compute anything about a key of any 
t-size conference comprised of other users. 

First we consider a non-interactive model where users compute the com- 
mon key without any interaction. We prove a lower bound on the size of 
the user's piece of information of (*^l7 1 ) t i mes * ne Slze °f tne common 
key. We then establish the optimality of this bound, by describing and 
analyzing a scheme which exactly meets this limitation (the constiuction 
extends the one in [2]). Then, we consider the model where interaction is 
allowed in the common key computation phase, and show a gap between 
the models by exhibiting an interactive scheme in which the user's infor- 
mation is only k + 1 — 1 times the size of the common key. We further 
show various applications and useful modifications of our basic scheme. 
Finally, we present its adaptation to network topologies with neighbor- 
hood constraints. 

1 Introduction 

Key distribution is a central problem in cryptographic systems, and is a ma- 
jor component of the security subsystem of distributed systems, communication 
systems, and data networks. The increase in bandwidth, size, usage, and ap- 
plications of such systems is likely to pose new challenges and to require novel 
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ideas. A growing application area in networking is "conferencing" a group of 
entities (or network locations) collaborate privately in an interactive procedure 
(such as: board meeting, scientific discussion, a task-force, a classroom, or an 
bulletin-board). In this work we consider perfectly-secure key distribution for 
conferences. (Note that key distribution for two-party communication (session- 
keys) is a special case of conferences of size two) . 

If users of a group (a conference) wish to communicate in a network us- 
ing symmetric encryption, they must share a common key. A key distribution 
scheme (denoted KDS for short) is a method to distribute initial private pieces 
of information among a set of users, such that each group of a given size (or up 
to a given size) can compute a common key for secure conference. This informa- 
tion is generated and distributed by a trusted server which is active only at the 
distribution phase. 

Various key distribution schemes have been proposed so far, mainly to pairs of 
users (session keys). A basic and straightforward perfectly-secure scheme (which 
is useful in small systems) consists of distributing initial keys to users in such 
a way that each potential group of users shares a common key. In the case of 
session keys, if n is the number of users, the server has to generate n(n - l)/2 
keys and each user holds n — 1 keys, one for each possible communication. When 
7i gets large it becomes problematic or even impossible to manage all keys. This 
is known as the n 2 problem. For conferences, when we allow all possible subsets 
of a given size to join together (what we call the dynamic conference setting), 
the number of keys becomes prohibitively large. 

Given the high complexity of such a distribution mechanism, a natural step is 
to trade complexity for security. We may still require that keys are perfectly se- 
cure, but only with respect to an adversary controlling coalitions of a limited size. 
This novel approach was initiated by Blom [2] for the case of session keys (other 
related schemes are given in [10, 14]). We are motivated by Blom's (somewhat 
forgotten) pioneering work. We consider key-distribution for dynamic confer- 
ences and study the theory and applications of such systems. Our scheme has 
two parameters: t, the size of the conference (group), and k, the size of adversary 
coalitions. Another characteristic of such schemes is whether they are interactive 
(users discuss during common-key establishment phase) or non-interactive. 

1.1 The results 

We give a precise model of our setting and then we analyze and design perfectly- 
secure key distribution schemes for dynamic conferences. We show the following: 

1. Lower bound: We consider the non-interactive model and prove that the size 
of the piece of a user's information is at least (^I^*) times the size of the 
common key. 

2. Matching upper bound: We propose a concrete scheme and show that it indeed 
gives pieces of this size, thus establishing the optimality of the bound. 

3. Gap: We compare the interactive to the non-interactive settings. We show an 
interactive scheme where the user's information is only ifc + 1 — 1 times the 
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size of the common key, proving a separation between the interactive and 
the non-interactive cases. 

4. Constrained Conferencing: In Section 7 we present modifications of the schemes 
to systems in which conferences are generated according to neighborhood 
constraints (of the network communication graph) . 

5. Applications: We then extend the ideas to show numerous applications and 
uses of the scheme, such as: hierarchical key distribution schemes, asymmet- 
ric user-population, access-control validation, partial key revocation, etc. 

Our analysis applies information-theory and its basic notions of entropy and 
mutual information, as well as their conditional versions. In Section 2 we review 
these notions and present basic equations to be used in the analysis. 

1.2 Related work 

The two common approaches to key distribution, taken in order to reduce the 
inherent complexity of the basic straightforward scheme are schemes based on 
public-key cryptography [5] or on an authentication server [19]. Numerous sug- 
gestions for key distribution schemes based on computational assumptions are 
known, as well as a number of suggestions for conference keys. We note that 
"Merkle's puzzles" [17] is also a pioneering key generation scheme which is com- 
putational, for a seemingly negative result concerning such methods see [11]. 
The interactive model is related to (but different from) the recent models basing 
perfectly-secure common key generation on an initial card deal [6, 7]. Blom's 
innovative method (and thus our setting) is a key distribution which is ID-based 
that predated the formal definition of this notion by Shamir [21]; his technical 
tool was MDS linear codes. Later, Matsumoto and Imai [16] extended the work 
of [2] to general symmetric functions, and systematically defined key distribution 
schemes based on such general function; our scheme can actually be viewed as 
a special case of their general system. (Another related recent work is in [23]). 
Fiat and Naor have suggested recently a key distribution scheme which is not al- 
gebraic, and Alon has given a lower bound for their scheme [18]. Remark: finally 
we note that various suggestions for computational key distribution in different 
settings (e.g., [15, 20, 25, 24, 8]) and conferencing (e.g., [12, 3, 22]) have appeared 
in the last years, (mainly in the Crypto and Eurocrypt conferences proceedings 
series). 

Organization: In Section 2 we recall the definition of the entropy and some 
of its property. In Section 3 we formally describe the model of a KDS in terms 
of the entropy. In Section 4 we prove the lower bound on the entropy of each 
user in a Ar-secure i-conference KDS. In Section 5 we then describe and analyze 
the actual schemes for fc-secure ^-conference KDS. In Section 6 we show how 
interaction can be used to dramatically decrease the amount of information 
held by each user. In Section 7 we present another result: a protocol to realize 
a conference KDS when not all of pairs of users are able to communicate. In 
Section 8 we present applications, in particular the scheme can be combined with 
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authentication procedures, as the ID of the owner and other meaning attached 
to a key owner can be naturally supported by such a system. 

2 Background 

In this part we review the information theoretic concepts we are going to use. 
For a complete treatment of the subject the reader is advised to consult [4] and 
[9]. 

Given a probability distribution {p(x)} xt x on a set X, we define the entropy 
of X, H(X), as 

H(X) = - ][>(*) logpOc) 2 . 

xeX 

The entropy H (X) is a measure of the average information content of the ele- 
ments in X or, equivalently, a measure of the average uncertainty one has about 
which element of the set X has been chosen when the choices of the elements 
from X are made according to the probability distribution {p{x)} rc x- It is well 
known that H(X) is a good approximation to the average number of bits needed 
to faithfully represent the elements of X. The following property of H(X) can 
somehow illustrate the soundness of our first claim: 

0<H(X)<log\X\, (1) 

where H(X) = 0 if and only if there exists xo € X such that p(xq) = 1; 
H(X) = log\X\ if and only if p(x) = l/\X\, V* £ X. 

Given two sets X and V and a joint probability distribution {p{x, y)} Xi x ,y £ y 
on their cartesian product, the conditional entropy H(X\Y), also called the 
equivocation of X given Y, is defined as 

h{x\y) = -J2Y,p(y)p( x \y) lo &p( x \y)- 

yiY xtX 

The conditional entropy can be written as H (X\Y) = J2 y eY P(y)H(X\Y = y) 
where H(X\Y= y) = — YlxeX P{ x \y)^°SP( x \y) can ^ e interpreted as the average 
uncertainty one has about which element of X has been chosen when the choices 
are made according to the probability distribution p{x\y) xtX , that is, when it 
is known that the value chosen ^from the set Y is y. From the definition of 
conditional entropy it is easy to see that 

H{X\Y) > 0. (2) 

If we have n + 1 sets X\ , . . . , X„ , Y the entropy of Xi . . . X n given Y can be 
written as 

H(X l ...X n \Y) = HiX^Y) + H{X 3 \X X Y) + ■■■ + ffpfj*! . . .^-1^) (3) 
2 All logarithms in this paper are of base 2 
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The mutual information between X and Y is defined by 



I(X;Y) = H(X)-H(X\Y) 



(4) 



and enjoys the following properties: 



I(X;Y) = I(Y;X), 



(5) 



and I(X; Y) > 0, from which one gets 



H{X) > H(X\Y) 



(6) 



with equality if and only if X and Y are independent. Given sets X, Y, Z and a 
joint probability distribution on their cartesian product, the conditional mutual 
information between X and Y given Z can be written as 



Since a property of the conditional mutual information is I(X;Y\Z) > Owe get 



In this section we present the key distribution problem and model. A key distri- 
bution scheme (indicated by KDS for short) distributes some information among 
a set of users, so that any t of them can join and generate a secure key. We as- 
sume a trusted off-line server active only at initiation (unlike an on-line server 
approach put forth in [19] which we call server-based KDS). We say the system 
is ifc-secure if any Ar users, pooling together their pieces, have no information on 
keys they should not know. These schemes can be further classified into two cat- 
egories: interactive (where users are engaged in a protocol, prior to usage of the 
common key), and non-interactive where keys are generated privately by the in- 
dividuals. Next, we formally define non-interactive key. distribution schemes. Our 
definition of security is based on the notion of entropy and is thus unconditional. 

Let U = {Ui ,...,{/„} be a set of users. The algorithm used by the server to 
generate the pieces of information, that will be distributed to the users, is ran- 
domized. The server generates the vector (ui , 1*2, . . . , u n ) according to some prob- 
ability distribution on the cartesian product Ui x • • • x U n . The piece u,- denotes 
the information given by the server to user Ui . In order to simplify notation we 
denote by Ui both the user [/,- and the random variable induced by the value «,• , 
and by if we denote both the set of common keys among users Ui 1 ,,. ,,Ui t 
and the random variable induced by these common keys. Each user !/,• . can de- 
terministically compute, on input only « ; and ii, . . . , ij-iiij+i, - ■ ■ , U, his com- 
mon keys j for all permutations a : {i'i, . . . , i t } — ► {i'i, 12, • • • , h}, 
to be used with users Ui 1 , . . . , Ui j _ l , C/, J+1 , . . . , Ui, . Each common key 3 . >i( is 
generated according to a probability distribution {pis^ i,)}^ i ( > induced by 
the fact that each user calculates deterministically the common key by using the 



I(X;Y\Z) = H(X\Z) - H{X\Z Y). 



(7) 



H(X\Z) > H(X\Z Y). 



(8) 



3 The Model 
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initial information received £from the server, which has been generated by a ran- 
domized algorithm. The probability p(s {i j( ) denotes the a priori probability 
that the common key among users J/j, , . . . , Ui t is s ti if . 

The maximum value that the security parameter k can take in any f-conference 
KDS for n users is n — t since any adversary coalition can contain at most n — t 
users. Formally we define a ifc-secure ^-conference key distribution scheme for n 
users as follows. 

Definition 3.1 Let If be a set of users and Jet k, k < \U \ — t, be an integer. A 
non- interactive key distribution scheme for U is k-secure if 

1. Each t-uple of users can non-interacttvely compute the common key. 
For all U ilt ..., U if G U, it holds p( Sii ) = • • • = p(s ti M ) = 1. 

2. Any group of k users have no information on a key they should not know. 
For all U h ,..., U i{ ,U h ,...,U jk € U such that ji,...,jk & {h , ■ ■ ■ , it}, it 
holds 

PK iX vJ=P(s n , ...,.,)■ 

Property 1. means that given the value held by the user {/,-, , I = 1, 2, . . . , t, a 
unique value of the common key exists. Property 2. states that the probability 
that the common key among users Ui 1 , . . . , f/, t is « 4 _ 1( given the information 
held by users If , . . . , U jk is equal to the a priori probability that the common 
key is & , . This means that random variables S , and tf x ••• x K 
are statistically independent, so the values u }i , . . . , u Jfc reveal no information on 
the common key i( . By using the entropy function it is possible to give an 
equivalent definition of a fc-secure non-interactive f-conference KDS. 

Definition 3.2 Let U = {f/i, . . . , U n } be a set of users an'd let k, k < n — t, 
be an integer. A non-interactive t-conference key distribution scheme for li is 
k-secure if 

1'. Each t users can non-interactively compute the common key. 

For all different ...,»« 6 {1,2, . . n), H{S ti \U n )=■■ =H(S ti \U it ) = 

0. 

2'. Any group of k users have no information on a key they should not know. 

For all users £f ■ , . . . , U. such that j\ , . . . , j k £ z t }, # H \U h ... J7 ) - 

.,)• 

Notice that H(S (l if \U^ )=■ • = H(S ti , t \U if ) = 0, for all different »i,...,i t G. 

{1,2,..., n}, means that each set of values held by the user [/.,/ = 1,2,...,*, cor- 
responds to a unique value of the common key. In fact, by definition, H(S ii , ( \U ) — 
0 is equivalent to the fact that for all u t| G {/. with p(u ij ) > 0, a unique value 
s. . GS such that p(s \u ) = 1 exists. Moreover, H(S Iff. ...U ) — 

•l. >l l( r V »i,...,lfl »| ' 'V li ,...,»( I li J k I 

H(S ti if ) is equivalent to saying that S it if and LT x • • • x \J j are statistically 
independent, i.e., for all (u h , . . . , u.J e U h x- • -xU h ,we hsvep(s ii , t It^ , . . . , u Jfc ) = 

P(\ u)- 
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Property 1'. in Definition 3.2 states that any t users can compute the same 
common key. Actually, each user t/j can calculate tl keys for the same con- 
ference. Property 1'. does not say anything on the relationship among these 
t\ keys: all t\ keys could be equal so one key uniquely determines the other 
keys, that is H(S r ^ ) r{if) ,.„ iit ) = 0, for all permutation c : {»i, »2, ...,»«} —+ 
{ii , %i , . . . , it } ; or the keys could be all different and given one key we do not know 

anything on the other keys, that is H(S„ (ii) ^JS,,,...^) = 

Our lower bounds are valid in both cases, since they are based only on Property 
1'. and 2'.. On the other hand, in this paper all schemes that realize fc-secure 
i-conference KDS are symmetric, that is schemes in which the common key 
is symmetric: s iit ,., iit = s,^ } „ (j() for all permutations a : {ii,h, ■ ■ ■ ,h} —* 
{h, h, • •■>*<}• 

Definition 3.2 does not say anything on the entropies of random variables 
S it u and S., . For example, we could have either H{S ii i( ) > H{S., .,) 

or H(Si 4 ) < H(S., ,). Our results apply for the general case of arbitrary 

entropies on keys, but for clarity we often state our results for the simpler case 

that all entropies on keys are equal, i.e. H {S t i ) = H(S., , ) for all t-uples 

1 ' "' ' 'i *i 

of users (Ui l , ■ ■ ■ , Ui t ) and (£/,■/ , . . . f/,j), and we denote this entropy by H(S). 

The next simple lemma proves that if a f-conference KDS is A-secure then it 
is F-secure for all integers k' < k. 

Lemma 3.1 Let U = {U\, . . . , U n } be a set of users and let k, k < n — t, be an 
integer. In any k-secure key distribution scheme for U, for any integer k' < k it 
holds 

For all users , . . . , U H , U h , . . . , such that ji,...,jk> & {h, • • • , it}- 

Proof : From 2'. of Definition 3.2 we have H{S ii tf ) = H(S ti t \U h ...U jk ). 

From (8), one gets i \ 

m t uK-- U J < H ( S n \U h ...U ik ,)< H(S tl , ( ). 

Thus.ffft, it \V h ...U iy ) = H(S tl , ). Q 

From Lemma 3.1 one has that Property 2'. can be equivalently written as 

2". Any group of k' < k users have no information on a key they should not 
know. 

For all users , . . . , U if , U Si , . . ., such that ji, . . . , j k > £ {»i, • • • , it}, it 
holds 

H(S tl .,1^-..^,) = ^,...,.,). 
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4 Lower Bound: Conference Key Distribution 

In this section we prove a lower bound on the size of user's information for a 
^-secure ^-conference KDS. Let . . .U if be t users and let A = {ji, . . .,jt) be 
a set of t indices. With S A we denote both the set of common keys among the 
users Uf -.Mi and the random variable induced by these common keys, and 
with U A we denote both the set of users , . . . , U if } and the random variable 
induced by the value u ii ,...,u u . 

In a fc-secure i-conference KDS the knowledge of k keys does not convey any 
information on another key. This is formalized by next lemma. 

Lemma 4.1 Let U = {U\, . . ■ , U n } be a set ofn users and let r and k, k < n—t, 
be integers. Let X, Yi, . . . , Y r , Z be subsets of {1,2, ... ,n} such that \Z\ — k, 
ZDX = 0, Zf)Yi / 0 and \X\ ~ \Y { \ = t, fori = l,...,r. Then, in any k-stcure 
t-conference key distribution scheme for U 

H(S x \S Yi ...S Yt ) = H{S x ). 

Proof : From (6) we have H(S X ) > H(S X \Sy . . .Sy' r ). To prove the lemma it is 
enough to prove that H(S X |^ . . . S^) > H(S X ). Note that Z n X = 0. 

First note that the conditional mutual information between S x and Sy ■ ■ ■ Sy r 
given U z is 

...S Yr ;S x \U s ) = H(Sr t ...Sr r \U,)- #(5^ . . . ^ \U Z S X ) (from (7)) 
<H(S, l ...Sir r \U x ) (from (2)) 

<£tf(Sg{/J(from(3) and (8)) 

< 0 (from (8) and 1'. of Definition 3.2) 

Since the mutual information is non-negative we have 

/(V-A ;«) = <> 

From (5) it follows I(S X ; . . . Sy r \U Z ) = J(S^ . . . S^ r ; S x \U Z ) and thus 

H(S x \U z ) = H(S x \U z S ri ...Sy r ). (9) 

Finally, one gets 

H(S X |^ . . .S^) > H(S X \U M ^ . . .S, r ) (from (6)) 
= H(S X \U 2 ) (from (9)) 
= H(S X ) (from 2'. of Definition 3.2) 



which proves the lemma. 



D 
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We assume that all keys have the same entropy, i.e. jt ) = B(S) for all 

different ji , . . . , j t . Next theorem states a lower bound on the size of information 
held by each user. 

Theorem 4.1 Let U be a set of n users and let k, k < n — t, be an integer. 
In any k-secure t-conference key distribution scheme, the entropy H(Ui) of each 
user Ui satisfies 

H(Ui)> ( fc ^~ 1 )^(5). 

Proof : Consider the set of indices I = {j x , . . . , j k+t _ 1 } and an index i such that 
i $ I. Let m = C^ 1 ) -1. Construct A,B U ...,B m , C as follows. Set C is equal 
to C == - set A is equal to A = {», •• a n<*> finally, set 

5/, for / = 1, . . . , m is constructed taking the element i along with any (t — 1) 
elements from the set J, with the exception of {j k+1 , . . ■,j k+t _ 1 }, that is, 

Bi e {{i,xi,...,x 1 - 1 }\xi,...,x t - 1 El, {«!,..., * t _i} 
We have 



ff(ir ( ) = H(S Bi ...S Bm S A )- H(S Bi ...S Bm S A \U { ) + H(Ui \S Bi ...S Bm S A ) 

(from (4) and (5)) 

m 

> H(S Bi ...S Bm S A ) - 5>(S B , \V t ) - H(S A \U t ) + H(UAS Bi . . .S Bm S A ) 

- (from (3) and (8)) 

= H{S Bi ...S Bm S A ) + H{Ui\S Bi . -^ m S A ) (from V. of Definition 3.2) 
>H(S Bl ...S B ls A ) (from (2)) 

= H(S Bl ) + H(S B3 \S Bi ) + ••• + H(S Bm \S Bi ... S Bm _ , ) + H(S A \S Bi ...S B J 

(from (3)) 

Sets Z = A, X — C, Yi = B\ for / — l,...,m satisfy the hypothesis of 
Lemma 4.1. Thus we have H(S A \S Bi ...S Bm ) = H(S A ). Moreover, for each h, 
1 < h < m, sets X — Bh, Z = I\Bh and Yj = B\, for / = 1, . . . , h — 1, satisfy 
the hypothesis of Lemma 4.1. Thus, H(S Bh \S Bi . . . 5 Bfc j ) = ff(S B)i ) and, 

H(Ui) > H(S Bi ) + H(S B , ) + ••• + (S Bro ) + H{S A ) 
= {m + l)H{S) 

r 

Hence the theorem follows. 0 
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A particular case of Theorem 4.1 is when t = 2 and ifc = n — 2. In this case 
the key of a pair of users cannot be computed (even one of its bits cannot be 
computed) by an adversary coalition of the other n — 2 users. Each user holds 
at least n — 1 pieces of information of size equal to the size of the common key. 
The total number of pieces of information held by all users is at least n(n — 1). 
This is the well know problem of n 2 keys. The bound H{Ui) > ('^^Jf (S) is 
achieved by the protocol we next propose. 

5 Protocols for Key Distribution 

In this section we design and analyze protocols for A;-secure ^-conference key 
distribution which are applicable to hierarchical KDS as well (as will be later 
explained). The scheme we propose whefr«pplied to 2-party KDS is a particular 
case of the Blom's scheme [2] based pn jilDS linear codes, and, in particular 
based on polynomials. 

Blom's protocol for a ^-secure (2-conference) KDS for n users is as following. 
Let G be a (publicly known) generator matrix of a (n, k + 1) MDS linear code 
over GF(q) (see [13] for definitions and analysis of such codes) and let D be 
a secret random matrix with elements in GF(q). From the matrices G and D, 
construct a n x n symmetric matrix K whose entries will be the users' keys. The 
matrix K is equal to K = (DG) T G. The information given to user {/, consists 
of the row i of (DG) T . If user £/,- wants to communicate with user Uj then he 
computes the inner product of the held vector with the column j of G and he 
obtains the common key s, j = K(i,j). 

We propose the following protocol (to be extendible to various other ap- 
plications in the sequel) for a fc-secure ^-conference KDS. Let P{xi, . . . , x t ) 
be a symmetric polynomial in t variables of degree k with coefficients over 
GF{q), q > n, that is, P(xi, . ..,x t ) = jP(aV(i)j . . . , x a ^) for all permutations 
<r : {1, 2, . . . , t} — ► {1, 2, . . . , t}. To each user [7, the server gives the polynomial 
fi(x 2 , ■ ■ - ,x t ) = P(i, x 2 . . . , x t ), that is the polynomial obtained by evaluating 
P(xi, . . . , x t ) at Xi — i. If users , . . . , U jt want to set up a conference key then 
each user U u evaluates f i . (x 2 , ■ ■ ■ , x t ) at (x 2 , . - . , x t ) = (jj, , . . . , j f _ i, ji+i, . . ■ ,jt)- 
The conference key is equal to Sj 1 ,...j i = P(ji, ■ ■ ■ , jt)- 

As we mentioned above, when t = 2 our scheme is a particular case of Blom's 
scheme. Indeed, the generator matrix G of the MDS code is constructed by 
setting the entry G(i,j) to j* -1 . 

Theorem 5.1 In the scheme based on symmetric polynomial, if all coefficients 
of the symmetric polynomial in t variables of degree k are uniformly chosen in 
GF(q), then the t-conference key distribution scheme is k-secure, and optimal 

The scheme proposed meets the bound provided by Theorem 4.1, when all co- 
efficients are uniformly chosen. Indeed, in a symmetric polynomial P{x\, . . . , x r ) 

the coefficient , r is equal toa. ( . j)# , ( . r) , for all permutations <t : {t'i,i2, ...,i r }-* 

{ij , i 2 , . . . , »r}- Thus, the number of coefficients of a symmetric polynomial in r 
variables of degree k is equal to the number of possible ways of choosing with 
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repetitions r elements (corresponding to indices t'i, . . . , t r ) from a set of k + 1 
elements (each ij can assume k + 1 values). This is equal to ( fc * r ). 

6 Non-Interactive versus Interactive Schemes 

In Section 4 we proved that in a non-interactive fc-secure t-conference KDS, for 
each user Ui it holds H(Ui) > ( k fil 1 )H(S). In this section we prove that if we 
allow interaction among users (not with the server!) to set up a common key, 
then the lower bound can be beaten! 

The idea of the protocol is the following. We construct a non-interactive 
(k + 1 — 2)-secure 2-conference KDS using the protocol in [2]. Given a group of t 
users that want to compute a conference key, the user with the largest identity 
in the group chooses as conference key a random value in GF(q). Then he sends 
this value to the other t — 1 users by using the (k + 1 — 2)-secure 2-conference 
KDS. More formally the protocol for users Ui, . . . U n , is the following (based on 
the scheme presented above). 

1. The server chooses a symmetric polynomial P(x, y) of degree k + 1 — 2, with 
coefficients over GF(q), q > n, by randomly choosing its coefficients. 

2. To each user U the server gives the polynomial /j(y) = P(i,y), that is the 
polynomial obtained by evaluating P(x, y) at x = i. 

3. If users Ui x ,... ,-£/,-,, where t'i < ?2 < • ■ ■ < it, want to set up a conference 
key, then: 

3.1 User U if randomly chooses a secret key s in GF(q). 

3.2 User U t evaluates the polynomial f it (y) at y = i;, for / = 
1, . . . , t — 1, and, then, he computes temporary keys s it i( = f it (ii) 
(which is equal to P(it,ii)). 

3.3 User U if sends to user U it the value a\ = s it ^ ®s, for / = 1, . . . , t— 
1, where ® is the bitwise xor. 

3.4 ForZ = l,...,«-l: 

User (7 i( , first computes s if tj = it = f i{ (it) (which is equal to 
P(ii,i t ) = P(i t ,ii)). Then, CT computes s by taking the bitwise 
xor between s tt 1( and the value a; received by U i% ■ 

The above protocol is Ar-secure, since the KDS that is established at steps 1 
and 2 is (k + 1 — 2)-secure. 

In the above protocol only k + t — l elements of GF{q) are distributed by the 
server and kept by each user. 

This, proves a separation between the interactive and the non-interactive case 
for information-theoretically key distribution schemes for dynamic conferences. 

/ J 

7 Conference Key Distribution and Communication 
Graph 

In a non-interactive 2-conference KDS for n users each pair of users is able 
to compute a common key. It can be the case that some pairs of users will 
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never need to compute a common key. This situation can arise when a computer 
network has a topology which is not the complete graph; here each computer 
takes the place of a user in a KDS, and two computers can communicate if 
and only if there is a link between them. As an example, consider a ring of n 
computers 71 = {Co, Ci, . . . , C„_i}: computer C, can communicate with only 
two computers, C,_i and C,+i (arithmetic on indices is modulo it) so it will 
never need to compute a common key with Cj+2- 
In this section we analyze this situation. 

Let U = {U\, . . . , U n } be a set of users. A communication structure C is a 
subset of U x U. The communication structure contains all pairs of users for 
which the server has to provide a common key. A convenient way to represent a 
communication structure is by a graph G, in which each vertex f/j corresponds 
to user Ui, and there is an edge ((/,-, Uj) if and only if (Ui, Uj) G C. We call the 
graph associated to a communication structure the communication graph. 

Definition 3.2 can be extended to a key distribution scheme for any commu- 
nication structure C, as follows. 

Definition 7.1 Let U = {Ui, . . .,U n } be a set of users, let k < n — 2, be an 
integer, and let C C U x U be a communication structure. A non-interactive key 
distribution scheme for C is k-secure if 

1. Each pair of users in C can non-interactively compute the common key. 
For all {Ui ,Uj) e C, H(Sij \Ui) = H{S U \Uj ) = 0. 

2. Any group of k users have no information on a key they should not know. 
For all users U it U h U ilt ..., U ik such that i, j^{h,..., i k ), # (Si j \U tl . . .U ik ) = 
H(Sij). 

Now, we describe a ifc-secure (2-conference) KDS for a communication struc- 
ture C. First, we do not take into account the communication structure and 
construct a fc-secure KDS for all users as if each pair has to compute a common 
key. User Ui could receive more information than needed. If the degree of vertex 
Ui in the communication graph is less than k, then the piece of information given 
to Ui could consist of only the actual keys he needs for communicating. 

Below we describe a non-interactive fc-secure key distribution scheme for a 
communication structure C. In the following, deg(Ui) denotes the cardinality of 
the set {Uj\(Ui,Uj)(=C}. 

1. The server chooses a symmetric polynomial P{x,y) of degree k with coeffi- 
cients over GF(q), q > n, by randomly choosing its coefficients. 

2. To each user Ui, the server gives the following pieces of information: 

2.1 If deg(Ui) > k then the server gives to user Ui the polynomial 
fi(y) = P(i, y), that is the polynomial obtained by evaluating 
P(x, y) at x = i. 

2.2 If deg{Ui) < ifc and U h , . . . , U im , where m = deg(Ui), are the adja- 
cent vertices of Ui in the communication graph G, then the server 
gives to user Ui the pieces aj = P(i,ij), where j = 1, . . . ,m. 
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This protocol is fc-secure. The proof is analogous to the proof of Theorem 5.1. 

Theorem 7.1 The above described non-interactive key distribution scheme for 
a communication structure C is k-secure. 

It is easy to see that in previous protocol each user [/,■ receives min{fc + 
l,deg(iii)} pieces of information, that is the size of the information he has is 
min{ifc + l,deg(ui)} the size of the common key. The following theorem proves 
that the protocol is optimal with respect to the size of the information held 
by each user. In the following theorem we suppose that all keys have the same 
entropy, i.e. H(Sij) = H(S) for all i and j. 

Theorem 7.2 Let U = {Ui, . . .,U n } be a set of users, let k, k < n — 2, be 
an integer, and let G be a communication graph on U. In any k-secure key 
distribution scheme for G, the entropy H(Ui) of each user Ui satisfies 

H(Ui)>(x-H(S), 

where // = min{fc + 1, deg(ui)}. 

Proof : Let-(t/,, E/jJ, ... be elements of the communication structure 

described by graph G. That is, the server has to provide a common key for such 
pairs of users. Then, one has 

H(U i ) = H(S iih ...S,^)-H(S i ^...S iJ jU i ) + H(U i \S i , h ...S^) 

(from (4) and (5)) 

> H(S ith . . . ) - fj HiSj, \Ui) + HiUilS^ . . . ) (from (3) and (8)) 

= H(S i>h . . . S. j)t ) + H(Ui |S. h . . . ) (from 1. of Definition 7.1) 
>tf(S,>, •••$.;„) (from (2)) 

= HiS^ ) + H(S, J2 \S, ih ) + ...+ £f(^ |5„ yi . . . ) (from (3)) 

= H{S. Si ) + H (5. , a ) + ..- + H(S iijti ) (from Lemma 4.1) 

= »H{S) rj 

Analogously to KDSs, in J-conference KDS we can consider the case when not 
all the t-tuples of users need to set up a common key. Let U = {U\ , . . . , U n } be a 
set of users. A t- communication structure C t is a subset of W . The communication 
structure contains all f-tuple of users for which the protocol has to provide 
a conference key. A convenient way to represent a f-communication structure 
is by an hypergraph H in which each vertex Ui corresponds to user {/,-, and 
there is a hyperedge (U^ , . . . , U it ) if and only if (U^ , . . . , U if ) € C t . We will call 
the hypergraph associated with a ^-communication structure the communication 
hypergraph. Definition 7.1, the previously described protocol, and Theorem 7.2 
can be extended to a key distribution scheme for any f-communication structure 
Ct. 
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8 Applications: Authentication and Master Keys 

The polynomial-based scheme proposed applies to settings where a limited coali- 
tion of up to a certain security parameter k of adversaries are expected. A basic 
application is a secure conference key generation. The setting is ideal for the 
case of a master key generation (to derive further temporal keys), or authentica- 
tion of conference members based on conventional cryptosystems using the key 
in authentication protocols (such as the ones described in [1]) and without the 
need of going to an on-line server (as in [19]). For authentication applications 
it has a necessary and elegant feature as it connects the IDs of parties to the 
authentication master key (an ID-based authentication method). Further, addi- 
tional authenticating information can be attached (as explained in the following 
sub-sections). The advantage of the system ^from operational point of view is 
the disposal of the necessity to contact an on-line remote server, the alternative 
cost is, naturally, the on-line key computation (evaluation) cost, (this can be 
somewhat reduced if keys are cached). 

8.1 Mixed User Groups 

It may be desired to have an asymmetric protocol where the two parties should 
not be considered equal. For example, one party is a server, and the other a client 
(e.g., a server-user model). The protocol, in this case, will not only authenticate 
the name of the user (say) , but also the fact that it is an entity with a status of 
user (rather than a server); users will not be able to claim to be servers. In this 
case we can modify the scheme to use asymmetric polynomials. This asymmetric 
scheme can be used to define status (type) of users in various security domains. 

8.2 Two-level hierarchical polynomial 

Another use for the scheme is for a hierarchical transfer of trust. This can be 
done either in the symmetric or in the asymmetric polynomial methods. Let us 
demonstrate here a two level hierarchy of authority servers (domains) and users. 
The system's polynomial has four (sets of) variables Q(x, y, z, w). Q(x, y, -) = 
Q(y, x, -, •) and Q(-, •, z, w) = Q(-, •, w, z). The first half of variables are to be 
evaluated under the servers' names and the later half to be evaluated under 
the users' names. This gives an identification of both the user and its domain 
(server) in an authentication process. This can be extended to a few levels, 
the symmetric polynomial 

( 

8.3 Uses for internetworking 

In an inter-enterprise environment, using the above method — an organization 
(company) can issue permits (authentication polynomials) to its own employees, 
without knowing the main polynomial. Whenever an employee of this company 
uses the network, it is clear that he indeed has received its authorization ifrom 
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that company (since he must send C, otherwise he will not be able to authen- 
ticate itself). Moreover, if it is desired to revoke the permit of this company, it 
is not necessary to revoke the permit of each of its employees separately, rather 
revoke the server's authorization and eliminate the right to its users. 

8.4 Additional control variables 

A multi-variate polynomial may have additional uses. Additional meanings can 
be assigned to a few additional variables, for example: 

- Time-stamp: The polynomial can be evaluated at a specific date by the 
distributor. The entity using it will have to specify the date it received it 
(otherwise it will not be able to generate to authentication key). Thus , 
validity and expiration can easily be decided. 

- Group membership: Members of a specific group will be given private poly- 
nomials evaluated also under the name of the group (while others will be 
given the polynomial evaluated under the names of other groups). 

- Permission to access a certain resource for access-conjtrol mechanism can be 
embedded in the private polynomial computation. 

To conclude, we have modeled, analyzed, and designed dynamic optimal con- 
ference key distribution schemes, presented the advantage of interaction in this 
setting, and presented modifications and essential applications. 
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Abstract 

In this paper we develop the first known attack which is capable of breaking 
the full 16 round DES in less than the 2 55 complexity of exhaustive search. 
The data analysis phase computes the key by analyzing about 2 X ciphertexts 
in 2 37 time. The 2 s6 usable ciphertexts are obtained during the data collection 
phase from a larger pool of 2 47 chosen plaintexts by a simple bit repetition 
criteria which discards more than 99.9% of the ciphertexts as soon as they are 
generated. While earlier versions of differential attacks were based on huge 
counter arrays, the new attack requires negligible memory and can be carried 
out in parallel on up to 2 s3 disconnected processors with linear speedup. In 
addition, the new attack can be carried out even if the analyzed ciphertexts are 
derived from up to 2 33 different keys due to frequent key changes during the 
data collection phase. The attack can be carried out incrementally with any 
number of available ciphertexts, and its probability of success grows linearly 
with this number (e.g., when 2 29 usable ciphertexts are generated from a smaller 
pool of 2 40 plaintexts, the analysis time decreases to 2 30 and the probability of 
success is about 1%). 



1 Introduction 

The Data Encryption Standard (DES) is the best known and most widely used cryp- 
tosystem for civilian applications. It consists of 16 rounds of substitution and per- 
mutation operations, carried out under the control of a 56 bit key (see [6] for further 
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details). It was adopted as a US national standard in the mid 70's, and had been 
extensively analyzed for over 15 years. However, no attack which is faster than ex- 
haustive search (whose complexity is 2 55 due to a simple complementation property 
that halves the number of searched keys) has ever been reported in the open literature. 

The lack of progress in the cryptanalysis of the full DES led many researchers to 
analyse simplified variants of DES, and in particular variants of DES with fewer than 
16 rounds. Chaum and Evertse[4] described an attack on reduced variants of DES, 
whose complexity is 2 54 for the six-round variant. They showed that their attack 
is not applicable to variants with eight or more rounds. Davies[5] devised a known 
plaintext attack whose application to DES reduced to eight rounds analyzes 2 40 known 
plaintexts and has time complexity 2 40 . This attack is not applicable to the full 16- 
round DES since it has to analyze more than the 2 64 possible plaintexts. The most 
successful attack on reduced variants of DES was the method we called differential 
cryptanalysis [1], which could break variants of DES with up to 15 rounds faster than 
via exhaustive search. However, for the full 16-round DES the complexity of the 
attack was 2 SS , which was slower than exhaustive search. Similar attacks were used 
to cryptanalyze a large number of DES-like cryptosystems and hash functions [2,3]. 

In this paper we finally break through the 16-round barrier. We develop an im- 
proved version of differential cryptanalysis which can break the full 16-round DES 
in 2 37 time and negligible space by analyzing 2 36 ciphertexts obtained from a larger 
pool of 2 47 chosen plaintexts. An interesting feature of the new attack is that it can 
be applied with the same complexity and success probability even if the key is fre- 
quently changed and thus the collected ciphertexts are derived from many different 
keys. The attack can be carried out incrementally, and one of the keys can be com- 
puted in real time while it is still valid. This is particularly important in attacks on 
bank authentication schemes, in which the opponent needs only one opportunity to 
forge a multi-million dollar wire transfer, but has to act quickly before the next key 
changeover invalidates his message. 

2 The New Attack 

The reader is assumed to be familiar with the general concept of differential crypt- 
analysis, and in particular with the definitions and notations introduced in [1]. As 
usual, we ignore the initial permutation IP and final permutation IP -1 of DES, since 
they have no effect on our analysis. 

The old attack on the 15-round variant of DES was based on the following two- 
round iterative characteristic: 
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n P = o, 0) = 19 60 00 00 00 00 00 00 : 




always 



with probability about ^ 



At = (o,i/>) 



= 00 00 00 00 19 60 00 00 : 



The 13-round characteristic results from iterating this characteristic six and a half 
times and it's probability is about 2 - ' 1 '" 2 . The attack used this characteristic in 
rounds 1 to 13, followed by a 2R-attack on rounds 14 to 15. Any pair of plaintexts 
which gives rise to the intermediate XORs specified by this characteristic is called 
a right pair. The attack tries many pairs of plaintexts, and eliminates any pair 
which is obviously wrong due to its known input and output values. However, since 
the cryptanalyst cannot actually determine the intermediate values, the elimination 
process is imperfect and leaves behind a mixture of right and wrong pairs. 

In earlier versions of differential cryptanalysis, each surviving pair suggested sev- 
eral possible values for certain key bits. Right pairs always suggest the correct value 
for these key bits (along with several wrong values), while wrong pairs suggest random 
values. When sufficiently many right pairs are analyzed, the correct value (signal) 
overcomes the random values (noise) by becoming the most frequently suggested 
value. The actual algorithm is to keep a separate counter for the number of times 
each value is suggested, and to output the index of the counter with the maximal 
final value. This approach requires a huge memory (with up to 2 42 counters in the 
attack on the 15-round variant of DES), and has a negligible probability of success 
when the number of analyzed pairs is reduced below the threshold implied by the 
signal to noise ratio. 

In the new version of differential cryptanalysis, we work somewhat harder on each 
pair, and suggest a list of complete 56-bit keys rather than possible values for a 
subset of key bits. As a result, we can immediately test each suggested key via trial 
encryption, without using any counters. These tests can be carried out in parallel 
on disconnected processors with very small local memories, and the algorithm is 
guaranteed to discover the correct key as soon as the first right pair is encountered. 
Since the processing of different pairs are unrelated, they can be generated by different 
keys at different times due to frequent key changes, and the discovery of a key can 
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be announced in real time while it is still valid (e.g., in order to forge authenticators 
for banking messages). 

The key to success in such an attack is to use a high probability characteristic, 
which makes it possible to consider fewer wrong pairs before the first occurrence of 
a right pair. The probability of the characteristic used in the attack on the 15-round 

variant of DES is about (353) = 2~ 47 - 2 . The obvious way to extend the attack to 16 
rounds is to use the above iterative characteristic one more time, but this reduces the 
probability of the characteristic from 2 -47 ' 2 to 2 -551 , which makes the attack slower 
than exhaustive search. Our new attack adds the extra round without reducing the 
probability at all. 

The assumed evolution of XORs of corresponding values during the encryption 
of a right pair of plaintexts in the new 16-round attack are summarized in Figure 1, 
which consists of the old 15-round attack on rounds 2 to 16, preceded by a new 
round 1. 

Our goal is to generate without loss of probability pairs of plaintexts whose XORed 
outputs after the first round are the required XORed inputs (i/sO) into the 13-round 
characteristic of rounds 2 to 14. Let P be an arbitrary 64-bit plaintext, and let 
Vo, ■ ■ • , v 4 09B be the 2 12 32-bit constants which consist of all the possible values at the 
12 bit positions which are XORed with the 12 output bits of SI, S2 and S3 after 
the first round, and 0 elsewhere. We now define a structure which consists of 2 13 
plaintexts: 

Pi = P ® K 0) Pi = (P® (v„ 0)) © (0, 4>) for 0 < z < 2 12 

T { = DES(P,, A') f, = DES(P M K) 

The plaintext pairs we are interested in are all the pairs P,-, P, with 0 < i, j < 2 12 . 

There are 2 24 such plaintext pairs, and their XOR is always of the form (v^, 7/1), where 

each Vk occurs exactly 2 12 times. Since the actual processing of the left half of P and 

of the left half of P XORed with %p in the first round under the actual key creates 

a XORed value after the first round which can be non-zero only at the outputs of 

Si, S2 and S3, this XORed value is one of the v^. As a result, for exactly 2 12 of 

the plaintext pairs, the output XOR of the first F-function is exactly cancelled by 

XORing it with the left half of the plaintext XOR, and thus the output XOR of the 

first round (after swapping the left and right halves) is the desired input XOR (4>, 0) 

into the iterative characteristic. Therefore, each structure has a probability of about 
2 i2 . 2-47.2 = 2 -3s.2 tQ contain a right pair 

The problem in this approach is that we do not know the actual value of m, which 
cancels the output XOR of the first F- function, and thus we do not know on which 
2 12 plaintext pairs to concentrate. Trying all the 2 24 possible pairs takes too long, but 
we can use their cross-product structure to isolate the right pairs among them in just 
2 12 time. In any right pair, the output XOR after 16 rounds should be zero at the 
outputs of the five S-boxes S4, . . . , S8 (i.e., , at 20 bit positions). We can thus sort 
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(or hash) the two groups of 2 12 ciphertexts 7 1 ,, Tj by these 20 bit positions, and detect 
all the repeated occurrences of values among the 2 24 ciphertext pairs in about 2 12 
time. Any pair of plaintexts which, fails this test has a non-zero ciphertext XOR at 
those 20 bit positions, and thus cannot be a right pair by definition. Since each one of 
the 2 24 possible pairs passes this test with probability 2 -20 , we expect about 2 4 = 16 
pairs to survive. By testing additional S boxes in the first, fifteenth, and sixteenth 
rounds and eliminating all the pairs whose XOR values are indicated as impossible 
in the pairs XOR distribution tables of the various S boxes, we can discard about 
92.55% of these surviving pairs 1 leaving only 16 ■ 0.0745 = 1.19 pairs per structure 
as the expected output of the data collection phase. All these additional tests can 
be implemented by a few table lookup operations into small precomputed tables, and 
their time complexity is much smaller than the time required to perform one trial 
encryption during an exhaustive search. Note that this filtering process removes only 
wrong pairs but not all of them and thus the input of the data analysis phase is still 
a mixture of right and wrong pairs. 

The data analysis phase of previous differential cryptanalytic attacks used huge 
arrays of up to 2 42 counters to find the most popular values of certain key bits. The 
new variant of differential attack described in this paper uses only negligible space. 
We want to count on all the key bits simultaneously but cannot afford the huge array 
of 2° 6 counters. Instead, we immediately try each suggested value of the key. A 
key value is suggested when it can create the output XOR values of the last round 
as well as the expected output XOR of the first round and the fifteenth round for 
the particular plaintext pairs and ciphertext pairs. In the first round and in the 
fifteenth round the input XORs of S4 and S5, . . . , SS are always zero. Due to the 
key scheduling algorithm, all the 2S bits of the left key register are used as inputs to 
the S boxes SI, S2 and S3 in the first and the fifteenth rounds and Si, .... S4 in the 
sixteenth round. Only 24 bits of the right key register are used in the sixteenth round. 
Thus, 28 + 24 = 52 key bits enter these S boxes. of the choices of the 52-bit 

values remain by comparing the output XOR of the last round to its expected value 
and discarding the ones whose values are not possible and u 2 ^ ±s of the remaining 

16'l6*16 

ones remain by comparing the output XOR of the three S boxes in the first round 
to its expected value. A similar fraction of the remaining 52-bit values remain by 
analyzing the three S boxes in the fifteenth round. Each analyzed pair suggests 
about 2 52 • • h 2 ^ jj, • u 2 ^ ii = 0.84 values for these 52 bits of the key, and each 

' 16 ' 16 ' 16 16 ' 16 ' 16 

one of them corresponds to 16 possible values of the full 56-bit key; Therefore, each 
structure suggests about 1.19 ■ 0.84 ■ 16 = 16 choices for the whole key. By peeling up 
two additional rounds we can verify each such key by performing about one quarter 
of a DES ei-cryption (i.e., executing two rounds for each one of the two members of 
the pair), leaving only about 2~ 12 of the choices of the key. This filtering costs about 

'A fraction of about (j| ■ j| • y|) 2 ■ 0.8 s = 0.0745 of these pairs remain and thus a fraction of 
about 0.9255 of them are discarded. The input XOR values of the S boxes in the first and the 
fifteenth rounds of right pairs are known and fixed, and thus we use the fraction of non-zero entries 
of the corresponding lines in the pairs XOR distribution tables whose values are y§ and j|, 
rather than the fraction of the non-zero entries in the whole tables, which is approximated by 0.8. 
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Table 1. The number of common bits entering the S boxes in the first round (Kl) 
and in the sixteenth round (K16) 



16 - i =4 equivalent DES operations. Each remaining choice of the 56-bit key is 
verified via trial encryption of one of the plaintexts and comparing the result to the 
corresponding ciphertext. If the test succeeds, there is a very high probability that 
this key is the right key. Note that the signal to noise ratio of this counting scheme 

• C//,V - 2 " 2 ~ - 916.8 

This data analysis can be carried out efficiently by carefully choosing the order 
in which we test the various key bits. We first enumerate all the possible values of 
the six key bits of S4tf/,, and eliminate any value which does not give rise to the 
expected XOR of the four output bits from this S box. This leaves four out of the 
64 possibilities in average. Table 1 shows the number of common bits entering the S 
boxes in the first round and in the sixteenth round. The notation X denotes the bits 
which are not used in the specific subkey. We see that three of the bits of S^Kh are 
shared with S3k,,. We complete the three missing bits of SZxa in all possible ways, 
and reduce the average number of possibilities to two. Two bits of SI^a are shared 
with S3k 0 - By completing the four missing bits of S1a'/» and then the two missing 
bits of S2jf a we can reduce the average number of possibilities to about half. After 
completing the 13 remaining bits of the left key register in a similar way, the average 
number of values suggested for this half of the key is one. 

To compute bits from the right key register, we first extract actual S box bits from 
their assumed XORed values. In the fifteenth round we know the input XORs and 
the output XORs of SI, S2 and S3. We can thus generate about 4-5 candidate inputs 
for each one of these S boxes, and deduce the corresponding bits in g by XORing with 
the known bits of the left key register. In a similar way, we can calculate the outputs 
of the S boxes Si, S2, S3 and S4 in the sixteenth round, XOR these bits of H with 
the known bits of the left half of the ciphertext / and get 16 bits of g, horn which 
two bits enter Si, two bits enter S2 and three bits enter S3 in the fifteenth round. 
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By comparing these bit values to the candidate inputs of the S boxes we end up with 
about one candidate input for SI, one for S2, and only about half of the trials would 
result with a candidate input for S3. We can now deduce all the bits of g which enter 
these three S boxes and deduce the corresponding bits of H by H — g ® I- Two of 
these bits are outputs of S5, two bits are outputs of S6, three are outputs of S7 and 
one is output of S8. For each of these four S boxes we know the input XOR and the 
output XOR, and can deduce about 4-5 possible inputs. Since we also know actual 
output bits, the number of possible inputs is reduced to about one for S5 and S6, 
two for S8, but only half of the trials would result with a candidate for S7. We can 
deduce 24 out of the 28 bits of the right key register by XORing the 24 computed 
bits at the inputs of these four S boxes with the expanded value of the known right 
half of the ciphertext. 

We can now summarize the performance of the new attack in the following way. 
Each structure contains a right pair with probability 2 -35,2 . The data collection phase 
encrypts a pool of about 2 35 structures, which contain about 2 35 • 2 13 = 2 48 chosen 
plaintexts, from which about 2 35 • 1.19 = 2 35 ' 25 pairs (2 36M ciphertexts) remain as 
candidate inputs to the data analysis phase. The probability that at least one of 
them is a right pair is about 58%, and the analysis of any right pair is guaranteed 
to lead to the correct key. The time complexity of this data analysis phase is about 
2 35 ■ 4 = 2 37 equivalent DES operations. 

In order to further reduce the number of chosen plaintexts, we can use the quartet 
method of [1]. Since the basic collection of plaintexts in the new attack is a structure 
rather than a pair, we create metastructures which contain 2 14 chosen plaintexts, 
built from two structures which correspond to the standard iterative characteristic 
and from two structures which correspond to the following iterative characteristic: 



£ = (^t )0 ) = ib 60 00 00 00 00 00 00 : 



always 



with probability about — 




(0,^ 



00 00 00 00 15 60 00 00. 



This characteristic has the same probability as the previous one. With these metas- 
tructures, we can obtain four times as many pairs from twice as many plaintexts, and 
thus reduce the number of chosen plaintexts encrypted in the data collection phase 
from 2 48 to 2 47 . 
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Table 2. Summary of the new memoryless results on DES 



The general form of the new attack can be summarized in the following way: Given 
a characteristic with probability p and signal to noise ratio S/N for a cryptosystem 
with k key bits, we can apply a memoryless attack which encrypts 2 chosen plaintexts 

in the data collection phase and has complexity of -jjjj trial encryptions during the 
data analysis phase. The number of chosen plaintexts can be reduced to i by using 
appropriate metastructures, and the effective time complexity can be reduced by a 
factor of f < 1 if a tested key can be discarded by carrying out only a fraction / 
of the rounds. Therefore, memoryless attacks can be mounted whenever p > 2 1 ~ k 
and S/N > 1. The memoryless attacks require fewer chosen plaintexts compared to 
the corresponding counting schemes, but if the signal to noise ratio is too low or if 
the number of the key bits on which we count is small, the time complexity of the 
data analysis phase may be higher than the corresponding complexity of the counting 
scheme. 

In the attack described in this paper, p = 2~ A7 - 2 , k = 56, / = j and S/N = 2 16 ' 8 . 
Therefore, the number of chosen plaintexts is ^ = 2 48 ' 2 which can be reduced to 
i = 2 47 - 2 by using metastructures, and the complexity of the data analysis phase is 
2 37.2 equivalent DES operations. 

The performance of the new attack for various numbers of rounds is summarized 
in Table 2. Variants with an even number of rounds n have a characteristic with 
probability p = (234) ? require p~ l chosen plaintexts, and analyze p _1 • 2 -10 ' 75 
plaintexts in time complexity p _1 •2 -10 . The known plaintext variant of the new attack 
needs about 2 315 • p" o s known plaintexts (using the symmetry of the cryptosystem 
which makes it possible to double the number of known encryptions by reversing the 
roles of the plaintexts and the ciphertexts). Variants with an odd number of rounds n 

have a characteristic with probability p = (553) , require p -1 chosen plaintexts, 

and analyze p -1 • 2~ 40 ' 2 plaintexts in time complexity p" 1 • 2 -10 . For such odd values 
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of n, if p > 2 -40 - 2 then the number of analyzed plaintexts is two and the complexity 
of the data analysis phase is 2 32 . However, using about four times as many chosen 
plaintexts, we can use the clique algorithm (described in [1]) and reduce the time 
complexity of the data analysis phase to less than a second on a personal computer. 
The known plaintext attacks need about 2 32 • p -0 - 5 known plaintexts (in this case the 
symmetry does not help). The application of the known plaintext attack to eight 
rounds needs a pool of 2 s8 ' 5 known plaintexts. The application to 12 rounds needs 
a pool of 2 47 ' 2 known plaintexts. The application to 15 rounds needs a pool of 2 55 ' 6 
known plaintexts and the application to the full 16-round DES needs a pool of 2 55 ' 1 
known plaintexts. This is slightly worse than the 2 55 complexity of exhaustive search 
(which in the case of a known plaintext attack requires about 2 s3 plaintexts in order 
to generate a complementary pair via the birthday paradox). 

This specific attack is not directly applicable to plaintexts consisting solely of 
ASCII characters since such plaintexts cannot give rise to the desired XOR differences. 
By using several other iterative characteristics we can attack the full 16-round DES 
with a pool of about 2 49 chosen ASCII plaintexts (out of the 2 56 possible ASCII 
plaintexts). 
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Abstract. In this paper we show that we are close at the proof that the 
type of characteristics used by Biham and Shamir in their differential 
attack on DES [3] are in fact the best characteristics we can find for DES. 
Furthermore we show that the criteria for the construction of DES-like 
S-boxes proposed by Kim [6] are insufficient to assure resistance against 
differential attacks. We show several good iterative characteristics for 
these S-boxes to be used in differential attacks. Finally we examine the 
probabilities of the two characteristics used by Biham and Shamir in [3], 
We found that for some keys we do not get the probabilities used in 
the attack. We suggest the use of 5 characteristics instead of two in the 
attack on DES. 

1 Introduction 

In 1990 Eli Biham and Adi Shamir introduced differential cryptanalysis, a chosen 
plaintext attack on block ciphers that are based on iterating a cryptographically 
weak function r times (e.g. the 16-round Data Encryption Standard (DES)). The 
method proved strong enough to break several cryptosystems, Lucifer, GDES, 
Feal-4, Feal-8, Snefru a.o. and DES with a reduced number of rounds, i.e. less 
than 16 rounds [1, 2, 4], 

In december 1991 Biham and Shamir published an improved differential attack 
that is capable of breaking the full 16-round DES [3] . The attack needs 2 47 cho- 
sen plaintexts. The heart in differential attacks is the finding and the use of 
characteristics. In their attack Biham and Shamir use 2-round iterative charac- 
teristics. These characteristics are believed to be the best characteristics for an 
attack on 16-round DES, but so far no proof of this has been published in the 
open literature. We are close to the conclusion that this is in fact the case. 
After the breaking of the full 16-round DES the question is if we can redesign 
DES to withstand this kind of attack. There has been a huge research on DES, 
since its publication in the mid 70's. Some of this work has been concentrat- 
ing on the design of secure S-boxes. In [6] Kwangjo Kim provides a way of 
constructing DES-like S-boxes based on boolean functions satisfying the SAC 
(Strict Avalanche Criterion). Kim lists 5 criteria for the constructions, includ- 
ing "Resistance against differential attacks". Furthermore 8 concrete examples 
of these S-boxes, the s 2 -DES S-boxes, are listed. The cryptosystem s 2 -DES is 

E.F. Bnckell (Ed.): Advances in Cryptology - CRYPTO '92, LNCS 740, pp. 497-511, 1993. 
© Springer- Verlag Berlin Heidelberg 1993 
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obtained by replacing all the 8 DES S-boxes by the 8 s 2 -DES S-boxes, keeping 
everything else as in DES. It is suggested that s 2 -DES withstands differential 
attacks better than DES. We show that this is indeed not the case. The conlusion 
is that Kims 5 criteria for the construction of DES- like S-boxes are insufficient 
to assure resistance against differential attacks. 

In [1] Biham and Shamir observed that the probability of the two characteristics 
used in [3] will split into two depending on the values of certain keybits. In [3] 
this phenomena is not considered, and the estimates of complexity are calculated 
using average probabilities. This means that for some keys we will need more 
chosen plaintexts as stated in [3]. We think that exact probabilities should be 
used in the estimates of complexity and suggest the use of 3 additional charac- 
teristics to lower the need for chosen plaintexts for a successful attack. 
In section 2 we show different models of iterative characteristics for DES and 
s 2 -DES to be used in differential attacks. In section 3 and 4 we show concrete 
examples of these characteristics for DES and s 2 -DES, the probabilities all be- 
ing average values. In section 5 we consider the exact probabilities of iterative 
characteristics for DES. 

2 Iterative characteristics for DES and s 2 -DES 

We expect the reader to be familiar with the general concepts of differential 
cryptanalysis and refer to [1, 8] for further details. In DES and s 2 -DES equal 
inputs (to the F-function) always lead to equal outputs. This means that an in- 
putxor equal to zero leads to an outputxor equal to zero with probability 1. This 
is the best combination of input/outputxors. In finding the best characteristics 
we therefore try to maximize the number of these zero-rounds. In the following 
we will show different models of iterative characteristics for DES and s 2 -DES. In 
section 3 and 4 we will justify the usability of the models by showing concrete 
examples of these in DES and s 2 -DES. 

2.1 2-round iterative characteristics 

Two consecutive zero-rounds in a characteristic of DES-like cryptosystems lead 
to equal inputs and outputs of all rounds. We get equal plaintexts resulting 
in equal ciphertexts, a trivial fact. The maximum occurrences of zero- rounds 
therefore is every second round. This situation evolves by using the 2-round 
characteristic as in [1]. In the following we will use this notation: 

(<P, 0) 
0 0 prob. 1 

0 <— <P prob. something 

(0,*) 



for the 2-round iterative characteristic. 
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2.2 3-round characteristics 

In [7] Knudsen found that the best differential attack on LOKI89 [9] was based 
on a 3-round fix-point characteristic. A fixpoint is an inputxor that can result in 
itself as an outputxor. Instead of looking for fixpoints we should in general look 
for, what we call, twinxors. 

Definition 1 Twinxors, r and <t>, are xors for which & 4— F and both 
combinations with a positive probability. 

1 With twinxors we can build the following 3-round characteristic : 
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The characteristic is in fact only "half an iterative characteristic. Concatenated 
with the characteristic with rounds no. 2 and 3 interchanged we obtain: 
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In that way we get a 6-round iterative characteristic. Still we choose to call the 
3-round characteristic an iterative characteristic. 



2.3 4-round characteristic 

As for the 3-round characteristic we look for a 4-round characteristic, which ex- 
tended to 8 rounds becomes an iterative characteristic. It must have the following 
form: 



prob. 1 
some prob. 
some prob. 
some prob. 

It means that we have to find two inputxors $ and F both resulting in and <t> 
resulting in the (xor-)difference between \P and F . 
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(0, 5?) 





1 The best twinxors for LOKI89 is obtained with T= 00400000*, i.e. fixpoints. 
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2.4 Longer characteristics 

We can of course continue the search for n-round characteristics, n > 4. For every 
time we go one round further, we compare the characteristic we are now looking 
for with the best characteristic, we have found so far. We can easily find the 
best non-trivial input/outputxor combination in the pairs xor distribution table. 
From this probability we calculate the maximum number of different inputs to 
S-boxes we can have for the characteristic to be better than the one we have 
found. 

By looking closer at the possible xor-combinations and the overall architecture 
of the cryptosystem we can calculate the minimum number of different inputs to 
S-boxes we must have for the particular characteristic. Using this minimum and 
the above maximum we find the possible combinations of input- and outputxors 
in the characteristic and compare the probability with the other characteristics 
we have found. 

Of course characteristics do not have to contain a zero-round. Before making 
any conclusions about the best possible characteristic, we must check whether 
good characteristics of this kind exist. 

3 DES 

3.1 Properties 

The following 5 properties of the DES S-boxes are well known. 

1. No S-box is a linear of affine function. 

2. Changing one bit in the input to an S-box results in changing at least two 
output bits. 

3. The S-boxes were chosen to minimize the difference between the number of 
l's and O's when any single bit is held constant. 

4. S(x) and S(x © (001100)) differ in at least two bits. 

5. S(x) ^ S(x © (lle/00)) for any e and /. 

A DES S-box consists of 4 rows of 4-bit bijective functions. The input to an 
S-box is 6 bits. The left outermost bit and the right outermost bit (the row bits) 
determine through which function the four remaining bits (the column bits) are 
to be evaluated. This fact gives us a 6'th property of the DES S-boxes important 
for differential cryptanalysis. 

6. S(x) ^ S(x © (OabcdO)) for any a, b, c and d, abed / 0000. 

The inner input bits for an S-box are input bits that do not affect the inputs 
of other S-boxes. We have two inner input bits for every S-box. Because of the 
P-permutation we have the following property also important for differential 
cryptanalysis. 

— The inner input bits for an S-box, Si, come from S-boxes, whose inner input 
bits cannot come from Si. 

Example: The inner input bits for 51 come from 52 and 55, whose inner input 
bits come from 53 and 57 respectively 52 and 56. 
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3.2 2-round iterative characteristics 

As stated in [1, 3] the best characteristics for a differential attack on 16-round 
DES is based on a 2-round iterative characteristic. The following theorem was 
already proven in [5]. We give the proof in a different manner. 

Theorem 1 // two inputs to the F-function result in equal outputs, the inputs 
must differ in at least 3 neighbouring S-boxes. 

Proof: If the inputs differ only in the input to one S-box the expanded inputxor 
must have the following form: OOaiOO (binary), where ab ^ 00. Because of prop- 
erties 2 and 4 above, these inputs cannot give equal outputs. This also tells us 
that the inputs must differ in neighbouring S-boxes. If the inputs differ in only 
two neighbouring S-boxes, Si and S(i + 1), the two inputxors must have the 
following forms: Si : 00a6cd and S(i + 1) : cdefOO. Now 

cd 00, because of properties 2 and 4. 
cd 7^ 01, because of property 6 for S(i + 1). 
cd ^ 10, because of property 6 for S(i). 
cd ^ 11, because of property 5 for S(i + 1). 

□ 

We have several 2-round iterative characteristics for DES, where the inputs differ 
in three neighbouring S-boxes. By consulting the pairs XOR distribution table 
for the 8 S-boxes we easily find the best possibilities. The two best of these 
are used in [3] to break the full 16-round DES using 2 47 chosen plaintexts. The 
probability of the two characteristics is ^ for the two rounds. 

3.3 3-round iterative characteristics 

The highest probability for a non trivial input/outputxor combination in DES 
is i. Because (\) x > (t^) 1 ' 5 =S> x < 6, there can be different inputs to at most 

5 S-boxes for the two nonzero round together. Because of the P-permutation in 
DES, see Section 3.1., $ and T must differ in the inputs to at least two S-boxes 
each. Property 2 of the S-boxes implies that at least one additional S-box have 
different inputs, making $ and r together differ in the inputs to at least 5 S- 
boxes. The proof is given in the Appendix. For DES the best twinxors, which 
differ in the inputs to 5 S-boxes are: <2> = 31200000 r and F = 00004200 x . The 
probability for the 3-round iterative characteristic is 2~ 18,42 . This probability 
is very low and there is in fact twinxors, which together differ in the inputs to 

6 S-boxes with a higher probability, 4> = 03140000* and T = 00004014 x . The 
probability for the 3-round iterative characteristic is 2~ 181 . Both characteristics 
have a probability too low to be used in a successful differential attack. 

3.4 4-round iterative characteristics 

There can be different inputs to at most 7 S-boxes, because > (2I4) 2 
x < 8, however there is no 4-round iterative characteristics for DES with a 
probability higher than for best 2-round iterative characteristic concatenated 
with itself. The proof is tedious and is given in the Appendix. 
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3.5 Longer characteristics 

We believe that it can be proven that we cannot find n-rotmd iterative char- 
acteristics, n > 4, with probabilities higher than for the best 2-round iterative 
characteristic concatenated with itself ^ times. To obtain this for a 5-round 
iterative characteristic there can be different inputs to at most 9 S-boxes, as 
(4)* ^ (dft) 2 5 =^ 33 < 10- It seems impossible that we can find such a character- 
istic different in the inputs to 9 S-boxes and all combinations with a probability 
close to the highest possible of j. If we go one round further to a 6-round itera- 
tive characteristic the doubt will be even bigger. Before making any conclusions 
for the best differential attack on DES using characteristics, we must also check 
that no non iterative characteristics exist, as stated in Section 2.4. These proofs 
are a topic for further research. 

4 s 3 -DES 

4.1 Properties 

Kims s 2 -DES S-boxes do not have the DES properties 2, 4 and 5. They do have 
a property though that is part of property 2 for the DES S-boxes. 

4a. S(x) # S(x e (a00006)) for ab £ 00. 

As the s 2 -DES S-boxes are build as 4 rows of 4-bit bijective functions, they have 
property 6 like the DES S-boxes. 

4.2 2-round characteristics 

Because of property 6 there is no 2-round iterative characteristic for Kimss 2 -DES 
S-boxes where the inputs differ only in one S-box, however the lack of property 

5 enables us to build a 2-round iterative characteristic where the inputs differ in 
two neighbouring S-boxes. We have 

0 r <- 00000580* with prob. |^ ~ £ 

Extending this characteristic to 15-rounds yields a probability of 2 -39 7 . Using 
the original attack by Biham and Shamir [1] we will need about 2 42 chosen 
plaintexts for a successful differential attack. To do a similar attack as by Biham 
and Shamir in [3] we construct a 13- round characteristic with probability 2 -34 . 
The megastructures used in the attack will consist of 2 9 plaintexts and we will 
need a total of about 2 35 chosen plaintexts for the attack. This being said without 
having studied the attack in details. The above characteristic is not the only 2- 
round iterative characteristic for s 2 -DES that is better than the best 2-round 
iterative characteristics for DES. We have several others, the two secondbest 
characteristics both with probability ~ ^ are based on the combinations: 
0* — 07e00000 x and Q x <- 5c000000 £ . 
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4.3 3-round characteristics 

The best non-trivial input/outputxor combination in s 2 -DES has probability |. 
Therefore there can be at most 4 S-boxes with different inputs in the 3 rounds 
all together, as (\) x > (jj) 1 5 =>- x < 5 . As with DES, because of the P- 
permutation, <& and F must differ in the inputs to at least two S-boxes each. 
Unlike for DES it is possible for two inputs different in only 1 bit to result in 
two outputs different in 1 bit. Therefore we can build a 3-round characteristic 
with # = 04040000* and r = 00404000*. The probability for the characteristic 
is 8 * 6 6 * 4 4 4* 1Q - 2 -13 - 5 . This is the best 3-round characteristic we have found for 
s 2 -DES. We can build a 13-round characteristic to be used as in the attack 
in [3], The probability for the characteristic is 2~ 52 5 . However we can use the 
combinations from the 3-round characteristic to build 6-round "half" -iterative 
characteristics, which are better, as we will show later. 



4.4 4-round characteristics 

There can be at most 5 S-boxes with different inputs, because (^) r > (^j) 2 =^ 
x < 6, and again we exploit the fact that s 2 -DES S-boxes do not have property 
2. We construct a 4-round characteristic based on the following combinations: 

00000002* 
00080000* 
00000002* 

We have P(00000002*) = 00020000* and P(00080000)* = 00000040* = 0000006e* 
© 0000004e r . The total probability for the 4-round characteristic is 2 -14 ' 77 . Ex- 
tended to 13 rounds we obtain a probability of 2 -44,3 . 



«- 0000006e* with prob. f£ ( 
+- 00020000* with prob. |j 
<- 0000002e* with prob. ^ 



4.5 Longer characteristics 

A 5-round iterative characteristic will have to differ in the inputs to at least 
6 S-boxes. However we can find 6-round iterative characteristics also different 
in the inputs to only 6 S-boxes as indicated above. The P-permutation makes 
it impossible to have # — ► F and F — ► <P, where both $ and F differ only in 
the inputs to one S-box. However it is possible to have F, W and ft, all four 
different only in the input to one S-box and such that 4> T, F V Q 

and Q — * We use this observation to construct a 6-round characteristic: 

(*,0) 



0 




0 


prob. 1 


r 




<p 


some prob. 






r 


some prob. 


Q 






) & some prob. 


$ 




n 


some prob. 


n 






some prob. 
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With 0 = 04000000 r , F - 00004000^, = 00040000 x and Q = 00400000 r we 
get a total probability for the 6-round characteristic of 8«io«8*e»4*6 ^ 2 -i9-5. 
Extended to 13 rounds the probability becomes 2 -39 . Starting with (F , 0) we 
get a similar 6-round characteristic with probability 2 -19,5 . Starting with (& , 0) 
or (Q , 0) yields a 6-round characteristic with probability 2~ 19,8 . These 6-round 
characteristics differ in the inputs to 6 S-boxes, that is, different inputs to one 
S-box per round in average. 

If we try to construct n-round iterative characteristics, n > 6, we find that we 
will get more than one S-box difference per round in average. 

4.6 Conclusion on Kims s 2 -DES S-boxes. 

The above illustrates that we have to ensure that DES-like S-boxes have the six 
properties listed in section 3.1. The fact that for s 2 -DES two inputs different 
only in the inputs to 2 neighbouring S-boxes can result in equal outputs enables 
us to build 2-round iterative characteristic more than 4 times as good as the 
best 2-round characteristic for DES. The fact that two S-box inputs different in 
only one bit can result in outputs different in one bit enables us to construct a 
4-round and a 6-round iterative characteristic both better for differential attacks 
on s 2 -DES than the 2-round characteristic for DES. Furthermore we must check 
that there is no 2-round iterative characteristic where only 3 neighbouring S- 
boxes differ in the inputs with a too high probability. For the s 2 -DES S-boxes 
the best such characteristic is based on the combination dc000002 r <— 0 X . It has 
probability 10 * 6 1 4 ° 3 ' 14 ~ y§7- This is higher than the best 2-round characteristic 
for DES and illustrates that we should also consider this in the construction of 
DES-like S-boxes. 

5 Probabilities of iterative characteristics 
5.1 DES 

As stated earlier the best characteristics for a differential attack on DES are 
based on 2-round iterative characteristics. The two best of these have the fol- 
lowing inputxors in the second round: 4> = 19600000* and f = ^600000*. Both 
xors lead to equal outputs with probability ^ • However this probability is only 
an "average" probability. As stated in [1, section 6.5], if the sixth keybit used in 
S2 is different from the second keybit used in S3 the probability for 0 increases 
to jig and the probability for F decreases to . If the two keybits are equal 
the probabilities will be interchanged. We call these keybits, critical keybits for 
0 and r. In their attack on DES [3] Biham and Shamir use these two character- 
istics to build 13-round characteristics, where six rounds have inputxor 0 or V . 
The probability is claimed to be (2I4) 6 — 2 -4 " 22 . But depending on the values 
of the six pairs of critical keybits the probability for 0 will vary from (ppg) 6 — 
2- 43 - 16 to (g^) 6 ~ 2~ 55 - 16 and the other way around for F. Using both charac- 
teristics as in [3] we are ensured to get one characteristic with a probability of 
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Table 1. The probabilities for the best 13-round characteristic obtained by using the 
2 characteristics # and f. 



#Keys (logs) 


Probability (log2) 


51.00 


-43.16 


53.58 


-45.16 


54.88 


-47.16 


54.30 


-49.16 



at least (j^eTsss) 3 — 2 -4916 . Table 1 shows the probabilities and for how many 
keys they will occur. 

It means that for one out of 32 keys, we will get a 13-round characteristic with 
the highest probability and for about one out of three keys we will get the lowest 
probability. We found that for other 2-round iterative characteristics the prob- 
ability splits into more than one depending on equality/inequality of certain 
critical keybits. It turns out that we can find 2-round iterative characteristics 
for which the best of these probabilities is better than for the lowest for $> and 
r. For the 2-round characteristic (with inputxor) 00196000! we have only one 
probability. It means that regardless of the key values this characteristic will 
have a probability of ^g. Table 2 shows the probabilities for <P and F and for 
the 2-round iterative characteristics, whose best probability is higher than 



Table 2. Exact probabilities for 11 characteristics. 



Characteristic 


Probabilities (1/n) 


Average Prob.(l/n) 


19600000* 


146, 585 


234 


ibeooooo* 


585, 146 


234 


00196000 x 


256 


256 


000003d4 I 


210, 390 


273 


4000001(1* 


205, 1024 


341 


19400000,: (+) 


0, 195 


390 


lb400000 x (+) 


195, 0 


390 


40000019* ($) 


248, 390, 744, 1170 


455 


4000001k ($) 


248, 390, 744, 1170 


455 


ideooooo* (+) 


205, 512, 819, 2048 


468 


lf600000 x (+) 


205, 512, 819, 2048 


468 



It seems unlikely that we can find n-round characteristic, n > 2, for which the 
exact probabilities will be higher than for the above mentioned 2-round iterative 
characteristics. The subkeys in DES are dependent, therefore some keybits might 
be critical for one characteristic in one round and for another characteristic in 
another round. For example by using characteristic 19400000* we have the two 
probabilities ^5 and 0. But this division of the probability depends on the val- 
ues of the same critical keybits as for $ and r and we would get a probability of 
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for either <f or f. The characteristics marked with (+) in Table 2 depends 
on the values of the same critical keybits as for $ and A Doing an attack on 
DES similar to the one given in [3], this time using the first 5 of the above char- 
acteristics will give us better probabilities for a 13-round characteristic. Table 3 
shows the best probabilities and for how many keys these will occur. The above 



Table 3. The probabilities for the best 13-round characteristic obtained by using 5 
characteristics. 



#Keys (logs) 


Probability (log2) 


51.00 


-43.16 


53.58 


-45.16 


49.64 


-46.07 


49.64 


-46.29 


54.88 


-47.16 


50.90 


-47.18 


54.10 


-48.00 



probabilities are calculated by carefully examining the critical keybits for the 5 
characteristics in the rounds no. 3, 5, 7, 9, 11 and 13, i.e. the rounds where we 
will expect the above inputxors to be. By using the two characteristics in Table 
2 marked with ($) in addition would yield slightly better probabilities. However 
the best probability we would get by using these characteristics is (24s) 6 — 2 -47,7 
and it would occur only for a small number of keys. 

As indicated in Table 3 we are ensured to get a characteristic with a proba- 
bility of at least 2 -48 . However the megastructures of plaintexts and analysis 
will become more complex. Whether using 5 characteristics instead of two will 
dramatically increase the complexity of the analysis remains an open question. 

5.2 s a -DES 

The best characteristic for an attack on s 2 -DES is, as we saw earlier, a 2-round 
iterative characteristic with (average) probability of The exact probabili- 
ties of this characteristic is ^ and making the probability for a 13-round 
characteristic vary from 2 -35 to 2 -33 . It means that even in the worst case the 
characteristic is far better than the best characteristics for DES. 

A Appendix 

In this section we give the proofs of the claims given in Sect. 3.3 and 3.4. 
Notation: Let r be an xor-sum of two inputs Y, Y* to the F-function. Then 
AS(r) is the set of S-boxes, whose inputs are different after the E-expansion of 
Y and Y* . Furthermore #AS(r) denotes the number of S-boxes in AS(r). Ex- 
ample: Let r = 0/OOOOOOr (hex), then AS(F) = {51, 52, 53} and #AS{r) = 3. 
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Note that xor-addition is linear in both the E-expansion and the P-permutation 
of DES. In the proofs below the following Tables and lemmata are used. Table 4 
shows for each of the 8 S-boxes, which S-boxes are affected by the output of 
the particular S-box. Numbers with a subscript indicate that the particular bit 
affects one S-box directly and another S-box via the E-expansion. Example: If 
the output of 51 is 6 E (hex), then S-boxes 5 and 6 are directly affected and 
S-box 4 is affected after the E-expansion in the following round. Table 5 shows 
the reverse of Table 4, i.e. for every S-box it is shown which S-boxes from the 
preceding round affect the input. 



Table 4. Where the bits from an S-box goes to 



SI — * 3 2 


5 4 


6 


8 


S2 - 4 3 


7 8 


1 


5 


S3 — 6 7 


4 5 


8 


2 


S4 — 7 


5 6 


3 


1 8 


S5 — 2 3 


4 


7 6 


1 


S6 — 1 2 


8 7 


3 


5 


S7 — 8 i 


3 4 


6 


2 


S8 — 2 i 


7 


4 


6 5 



Table 5. Where the bits for an S-box come from 



SI 


S2 


S3 


S4 


S5 


S6 


S7 


S8 


4 2 5 6 


8 3 7 5 


14 6 7 


2 5 8 3 


12 6 4 


8 7 13 


5 4 8 2 


6 3 17 



The next five lemmata follow from Table 4 and 5. 

Lemma 1 The six bits that make the input for an S-box, Si, come from six 
distinct S-boxes and not from Si itself. 

Lemma 2 The middle six input bits for two neighbouring S-boxes come from 
six distinct S-boxes. 

Lemma 3 The middle ten input bits for three neighbouring S-boxes come from 
all 8 S-boxes. Six of the ten bits come from six distinct S-boxes and four bits 
come from the remaining two S-boxes. 

Lemma 4 The middle two bits in the input of an S-box Si, the inner input bits, 
come from two S-boxes, whose inner input bits cannot come from Si. 

Lemma 5 Let 0 and P be two input sums, where 4> —+ T. If #AS(&) = 
#AS(T) = 2 then for at least one S-box of AS(F) the inputs differ in only 
one bit. 
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Theorem 2 For twinxors, F and <P , i.e. F — ► <P and $-*f, the inputs to at 
least 5 S-boxes are different. That is, #AS(r) + #AS{$) > 5. 

Proof: 1. #AS(F) = 1. The inputs to AS(F) differ in the inner input bits, i.e. at 
most two bits. Because of properties 2 and 4 of the DES S-boxes #AS($) > 2. 
The inputs of AS($) differ in at most one bit each. Because of property 2 the 
outputs of $ differ in at least four bits. Therefore $ /+ f. 

2. #AS(F) = 2. Because of the symmetry of the characteristic we have imme- 
diately #AS(<P) > 2. There are two cases to consider: 

a. AS(F) are not neighbours. Because of properties 2 and 4 the outputs of 
both S-boxes in AS(r) will differ in at least two bits, making #AS($) > 3 
according to Table 4. 

b. AS(F) are neighbours. From Lemma 2 it follows that the outputs of AS($) 
differ in at most one bit each. Property 2 requires the inputs of AS{<P) to 
differ in at least two bits each. From Table 4 it follows that the only way two 
neighbouring S-boxes in F can make the inputs of AS(<P) differ in at least 
two bits each, is when #AS($) = 3. This is however not possible for all two 
neighbouring S-boxes. For example let AS(F) = {55, 56}, then it is possible 
to get AS(<P) = {51,52,53} where for each S-box the inputs differ in two 
bits. But for AS{r) — {51, S2} there will always be at least one S-box in 
AS{<P), whose inputs differ in only one bit. 

3. #AS(F) > 3. Because of the symmetry of twinxors #Zi5(#) > 2. □ 

We want to show that there is no 4-round iterative characteristic with a 
probability higher than the best 2-round iterative characteristic concatenated 
with itself. First we prove 

Theorem 3 For a 4-round iterative characteristic with input sums F , $ and \P, 
see Section 2.2, 

#AS(F) + #AS($) + #AS{>F) > 7. 

Furthermore, for at least one of the input sums, the inputs to three neighbouring 
S-boxes differ. 

Proof: We are looking for input sums F, <P and V, such that F $ and 

<2> — r © Note that AS(F) fl AS{V) ^ 0 and that if AS(F) are neighbours 
then so are AS^). 

1. #AS(r) = 1 . From the proof of Theorem 2 we have #45(0) > 2, and each 
of the inputs to those S-boxes differ in exactly one bit. 

a. #zi5(<P) = 2. The S-boxes in AS(0) are not neighbours and the inputs 
differ in one inner input bit, therefore each of the outputs differ in at least 
two bits. From a close look at Table 4 it follows that if AS(F) = 57 then it 
is possible to get #AS(&) = 3, but then for one S-box € AS(&), not 57, 
the inputs differ in only one bit, an inner input bit. If AS(r) £ 57 then 
#AS(&) > 4 and for at least one S-box, not AS(F), the inputs differ in only 
one bit. Therefore >f /* 4>. 
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b. #AS(<Z>) > 3. The outputs for every S-box of AS(<2>) differ in at least two bits. 
It follows easily from Table 4 that #AS{r®&) > 4. Since AS(r) C AS{&), 
#4S(!P) > 4. 

2. #AS(f) = 2 . By the symmetry of the characteristic #AS(>P) > 2 and there- 
fore #AS($) < 3. There are two cases to consider: 

a. AS(r) are not neighbours. Because of properties 2 and 4 #Zi5(#) > 3 
leaving only the possibility that #AS(&) = 2 and #AS(<P) - 3. The S- 
boxes in AS{$) must be neighbours. If not, let Si be an isolated S-box, 
different in the inputs in only inner bits. The outputs of Si differ in at least 
two bits, that must go to the inner bits of the two S-boxes in AS(r), since 
AS(r) = AS(<P). But that is not possible according to Lemma 4. 

b. AS(F) are neighbours. 

i) #AS(<P) = 1. The outputs of AS(<P) differ in at least two bits. From 
Table 4 it follows easily that for at least one S-box 6 AS(&)/AS(r) the 
inputs differ in only one bit and & -f+ $. 

ii) #AS{$) = 2. Assume that #AS{&) = 2. If ASif) = AS(&) then the 
outputs of AS(<P) can differ in at most one bit each, according to Lemma 
2. But by Lemma 5, the inputs of at least one S-box in AS(<P) differ in 
only one bit, a contradiction by property 2. Therefore AS(r) ^ AS(^)- 
Since AS{r) n AS{&) ^ 0 and AS{F) are neighbours we must have 
AS(r) - {S(i - I), Si} and AS{V) = {S(i),S(i + 1)} or vice versa. 
The outputs from S(i - 1) in r must be equal as must the outputs from 
S(i + 1) in Therefore F © & must have the following form (before the 
expansion): 

S(i - 1) jj S(i) \\ S(i + 1) = Qxyz || 1 * *1 \\QvwQ , 

where '*' is any bit, xyz ^ 000 and vw ■£ 00. From Table 5 it follows 
that <Z> -f* r © if for #AS{$) = 2 and therefore #AS(&) > 3. 
Hi) #AS($) = 3. Then #AS(&) - 2. If AS(r) 56 AS(V) then the differ- 
ences in the inputs to <P is the effect of one S-box. For every S-box in 
AS{$) the inputs differ in only one bit, therefore $ -f* i"'©$ r . By similar 
reasoning we find that for both S-boxes in AS(P) the outputs have to 
differ. Furthermore AS(<P) are neighbours. Assume that they are not. 
Then the outputs of the isolated S-box differ in at least two bits and 
from Table 4 it follows that they affect at least 2 not neighbouring or 3 
neighbouring S-boxes, a contradiction with AS(r) — AS($). 

3. #AS(r) = 3. Because of the symmetry in the characteristic we already cov- 
ered the cases where AS^P) < 3. Therefore #AS(F) = #AS($) = 3 and 
#AS(&) = 1. AS{r) must be neighbours. Furthermore AS(r) = AS{&) other- 
wise $ ■/* r@&. □ 

Theorem 4 There are no J^-round iterative characteristics with a probability 
higher than (^i) 2 - 
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Proof: From the proof of Theorem 3 we find that to have a 4-round iterative 
characteristic, the inputs to seven S-boxes must be different in the three nonzero 
rounds. Furthermore for at least one round the inputs to three neighbouring 
S-boxes must be different. There are three cases to consider. Case A: By Lemma 





AS(r) 


AS{$) 


AS{#) 


Case A 


2 


2 


3 


Case B 


2 


3 


2 


Case C 


3 


1 


3 



5 we know that for at least one S-box in AS($) the inputs differ in only one bit. 
Furthermore for at least one of the three neighbouring S-boxes in AS(^) the 
outputs must be equal, otherwise r -/-* There are two cases to consider: 

1. For both S-boxes in AS($) the inputs differ in only one bit. By property 

2 the outputs differ in at least two bits each. For every three neighbouring 
S-boxes in !? we know the only two possible S-boxes of AS{$) by Lemma 

3 and Table 5. Example: If AS(V) = {51,52,53} then AS{<P) = {55,56}. 
Furthermore the outputs of either 51 or 53 must be equal. 

We have eight triples of three neighbouring S-boxes in & to examine and 
from Table 4 and 5 it follows that there are only three possible values for 
AS(&) and AS(<P). From the pairs xor distribution table we find that the best 
combination for & —* $ has probability 8x ffi 10 . But then the probability 
for a 4-round iterative characteristic P(4R) < x 8x ffi 10 < (jk) 2 - 

2. For one of the S-boxes in AS(<P) the inputs differ in one bit, for the other 
S-box the inputs differ in two bits. For every three neighbouring S-boxes of 
)P there are only two possibilities for the S-box in AS(<P), whose inputs differ 
in only one bit. From a closer look at Table 4 it follows that AS($) must 
be neighbours and there are only two possible values for AS(ty) and AS(&). 
From the pairs xor distribution table we find that the best combination for 
& — ► $ has probability 12 g^a* 4 . But then the probability for the 4-round 
iterative characteristic P(4R) < ^ x 12x ^ x4 < i^) 2 - 

Case B: The three S-boxes in AS($) are neighbours. From the proof of Theo- 
rem 3 we have AS(F) = AS(\P). Then by Lemma 2 the outputs of each of the 
three neighbouring S-boxes in AS($) can differ in at most one bit, therefore the 
inputs must differ in at least two bits each by property 2. Then it follows from 
Table 5 that for each of the S-boxes in AS(F) the outputs must differ in two bits. 
For every triple of three neighbouring in AS(<P) there is only one possible way 
for the inputs to differ and only one possibility for AS(r). The best combination 
of AS(r) and AS($) gives a probability for the 4-round iterative characteristic 
P (4R) < 12xiax»x(8x4)' K ( _1_ )2 , 

Case C: From Theorem 3 we have AS(F) = AS($). The only possibility we have 
for a 4-round iterative characteristic of this kind is when AS(f) = {52, 53, 54} 
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and AS($) — {57}. The best combinations yields a probability for the 4-round 
iterative characteristic P(4R) < ^ x 14 * 4 8 3 x8 < (^j) 2 . □ 
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DES is not a Group 



Keith W. Campbell and Michael J. Wiener 
Bell-Northem Research, P.O. Box 3511 Station C, Ottawa, Ontario, Canada, K1Y 4H7 

Abstract. We prove that the set of DES permutations (encryption and 
decryption for each DES key) is not closed under functional composition. This 
implies that, in general, multiple DES-encryption is not equivalent to single 
DES-encryption, and that DES is not susceptible to a particular known-plaintext 
attack which requires, on average, 2 1S steps. We also show that the size of the 
subgroup generated by the set of DES permutations is greater than 10 2499 , which 
is too large for potential attacks on DES which would exploit a small subgroup. 

1. Introduction 

The Data Encryption Standard (DES) [3] defines a set of permutations on messages from 
the set M = {0, 1 } 64 . The permutations consist of encryption and decryption with keys 
from the set K = {0, 1 > 56 . Let E k : M — > M denote the encryption permutation for key k, 
and let E' k l be the corresponding decryption permutation. If the set of DES permutations 
were closed under functional composition, then tor any two permutations t and w, there 
would exist some other permutation v such that u(t(m)) = v(m) for all messages m e M. 

The question of whether the set of DES permutations is closed under functional 
composition is an important one because closure would imply that there exists a known- 
plaintext attack on DES that requires, on average, 2 28 steps [4]. Furthermore, multiple 
encryption would be susceptible to the same attack because multiple encryption would be 
equivalent to single encryption. 

Kaliski, Rivest, and Sherman developed novel cycling tests which gave evidence that the 
set of DES permutations is not closed [4]. However, their work relied upon randomness 
assumptions about either DES itself or a pseudo-random function p:M —> K which was 
used in cycling experiments. Because of the randomness assumptions, it is difficult to use 
the results of their cycling tests to make any claims about the probability that DES is not 
closed. 

We have developed our own DES cycling experiments which provide evidence that DES 
is not closed; this evidence does not rely upon randomness assumptions. Our cycling 
experiments are similar to those of Quisquater and Delescaille for finding DES collisions 
[7, 8]. Other recent related work is the switching closure tests of Morita, Ohta, and 
Miyaguchi [6]. 

E.F. Bnckell (Ed.): Advances in Cryptology - CRYPTO '92, LNCS 740, pp. 512-520, 1993. 
© Springer-Verlag Berlin Heidelberg 1993 
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Don Coppersmith has developed an approach to finding a lower bound on the size of the 
subgroup generated by the DES permutations [1]. He has shown this lower bound to be 
greater than the number of DES permutations, providing conclusive proof that DES is not 
closed. 

Section 2 contains the new probabilistic argument against closure which relies upon the 
ability to find a set of four keys which quadruple -encrypt a particular plaintext message to 
a particular ciphertext message. Finding such four-key mappings can be done with an 
approach similar to finding DES collisions. In Section 3, we review previous work in 
collision finding and build up to the new method of finding four-key mappings. Section 4 
contains further details on our experiments. In Section 5, we describe Don Coppersmith's 
approach to obtaining a lower bound on the size of the subgroup generated by the DES 
permutations, thereby proving that DES is not closed. We also discuss our results based 
on his approach. 

2. Strong Evidence Against Closure 

We begin with the hypothesis that the set of DES permutations is closed and search for a 
contradiction. Let S p be the set of messages that can result from encrypting or decrypting 
a particular message p with any DES key. Because there are 2 56 keys, S p contains at most 
2 57 messages. From the hypothesis, 5^ is also the set of all possible messages which can 
result when multiple permutations are applied to p. If a message c 6 M is selected at 
random, the probability that c s S p is at most 2 57 /2 64 = 2" 7 . We selected 50 messages at 
random (by coin tossing), and for each random message c, we searched for a set of 
permutations which map p to c using p=0 in each case. In all 50 cases we found a set of 
four DES keys i, j, k, and I such that £/(Ej.(E ; <E,(p)))) - c (see Appendix). Therefore, 
c £ S p and the probability of this event occurring 50 times is at most (2~ 7 ) 50 = 2" 3S0 . 
Because this is an extremely unlikely occurrence, we must conclude that the original 
hypothesis is incorrect and the set of DES permutations is (almost certainly) not closed 
under functional composition. 

The argument above does not rely upon any assumptions about the randomness of DES or 
any other function; the fact that four keys exist which map p to c for each randomly 
selected message c is sufficient to draw the conclusion. However, the method used to find 
the four keys in each case does rely upon randomness assumptions. 

3. Collision Finding 

The method used to find four keys which map one message to another is similar to the 
approach taken by Quisquater and Delescaille in finding DES collisions 1 [7]. In both 
cases a function f:M —> M and an initial message x 0 are chosen which define the sequence 

x i+{ = J{x i ) for i = 0, 1 Because M is finite, this sequence must eventually fall into a 

cycle. Unless xq is in the cycle, the sequence consists of a leader flowing into a cycle. The 
algorithms described by Sedgewick, Szymanski, and Yao [9] can be used to find the leader 



1 We have a DES collision when E,(m) = Efin) for some m e M, and i, j s K.i * 
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length X and the cycle length it. If a. ^ 0, this leads directly to finding a collision in/ (i.e., 
a,b 6 M such that fia) =fib), a^b, see Figure 1). 




Figure 1 . Leader and Cycle in a Sequence 



DES Collisions 

To find DES collisions, Quisquater and Delescaille used the function f{x) = E S ( X) (m), 
where g: M -» K takes a message and produces a key for DES encryption, and m is a fixed 
message. In this case, a collision in /is not necessarily a DES collision; iffia) =fib), 
a±b, but g{a) = g{b), then we have found a pseudo-collision where the keys are the same. 
Because there are fewer keys than messages, there can be at most \K\ distinct outputs from 
/ Assuming that DES is random and a suitable function g is selected, the probability of a 
collision in /leading to a DES collision is about \K\I\M\ = 2" s , and the expected time 
required to find a collision in/is on the order of J\K\ = 2 28 . Thus, the overall work factor 
in repeating this procedure until a DES collision is found is about 2 28 /2" 8 = 2 36 . This can 
be reduced somewhat using the method of distinguished points [7]. 

Two-Key Mapping 

The method of finding DES collisions above was extended by Quisquater and Delescaille 
to find pairs of keys which double-encrypt a particular plaintext p to produce a particular 
ciphertext c [8]. In this case, collisions were found between two functions/^) = E^ x) {p) 
and/ 0 (;c) = E~\ X )(c). Given messages a, b such that/Ga) = f 0 (b), g(a) and g(b) are a pair of 
keys with the desired property (i.e., E gfb) (E g{a ,(p)) = c). To find a collision between/, and 
/ 0 , define the function/ as follows: 

f /j (x) if a particular bit of .X is set 
/(*) = (1) 
y fo W otherwise 

The particular bit that is used to choose between / and/ 0 is called the decision bit. 

If DES is random, then we can expect collisions found in/to be collisions between f x and 
/o about half of the time. This increases the expected work factor from 2 36 in the single- 
DES collision case to 2 37 in this case. 
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Four-Key Mapping 

The double-encryption collision finding above can be applied directly to the problem 
discussed in Section 2 of finding a set of permutations which map p to c. However, we 
improved upon this approach by searching for four keys rather than two. We chose 
different functions/] and/ 0 : 

f\(x)=E h(x) {E gix) (p)) and f Q (x) = E h \ x) (E g \ x) (c)) (2) 

where functions g and h produce keys from messages, and the ordered pair (g(x), h(x)) is 
distinct for all x e M. This approach doubles the number of encryptions which must be 
performed at each step of collision finding, but it eliminates the possibility of pseudo- 
collisions. The expected number of steps required to find a collision in /in this case is on 
the order of J\M\ = 2 32 . To compare this running time to the two-key mapping above, we 
should take into account that fact that this approach requires two DES operations at each 
step instead of one. Also, only about half of the collisions in /are collisions between f x 
and/). Thus, assuming that DES is random, the work factor in finding four keys with the 
required property is about 2 s4 , which is eight times faster than finding a two-key mapping. 
The speed-up may be less than a factor of eight if the method of distinguished points is 
used for finding two-key mappings. 

4. Further Details on the Cycling Experiments 

In the cycling experiments, four-key mappings were sought as described in section 3 using 
the functions/,/], and/ 0 in equations (1) and (2). The functions g and h in equation (2) 
were selected for ease of implementation. In the DES document [3], keys are represented 
in 64 bits with every eighth bit (bits 8, 16, 64) a parity bit, 1 leaving 56 independent bits. 
The function g produces a key from a message by converting every eighth bit into a parity 
bit. Function h produces a key from a message by shifting the message left one bit, and 
then converting every eighth bit into a parity bit. Note that the ordered pair (g(x), h(x}) is 
distinct for all x e M so that there is no possibility of pseudo-collisions. 

As a test, a four-key mapping was sought for/? = c = 0. This value of c is not one of the 50 
randomly-selected values which contribute to the argument in section 2. Using bit number 
30 as the decision bit and an initial message jt 0 =0123456789ABCDEf (hexadecimal) 
yielded a collision between/] and_/g with the following results: 

X = 1143005696 (decimal) 
u, = 2756683143 (decimal) 

keys: 8908BF49D3DFA738 , 10107C91A7BF4C73 , 

4CEF086D6ED662AD, A7F7853737EAB057 (hexadecimal) 

The results for the 50 random values of c are given in the Appendix. There were no 
additional values of c which were tried. This is important because failure for some values 
of c would greatly diminish the confidence in the conclusions drawn in section 2. 

2 In the DES document [3], bits of a message are numbered from 1 to 64 starting from the leftmost bit. 
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These experiments were conducted over a four-month period using the background cycles 
on a set of workstations. The average number of workstations in use over the four-month 
period was about ten, and in the end, more than 10 12 DES operations were performed. 

5. Conclusive Proof that DES is not Closed 

In an as yet unpublished paper, Don Coppersmith described his latest work on finding a 
lower bound on the size of the subgroup, G, generated by the DES permutations [1]. He 
takes advantage of special properties of Eq and £j (DES encryption with the all O's and all 
l's keys). 

In earlier work [2], Coppersmith explained that the permutation E^Eq contains short 
cycles (of size about 2 32 ). This makes it practical to find the length of the cycle produced 
by repeatedly applying E^Eq to some starting message. Each of these cycle lengths must 
divide the order of EiEq. Therefore, the least common multiple of the cycle lengths for 
various starting messages is a lower bound on the order of E\Eq. Also, the order of E\Eq 
divides the size of G. This makes is possible to get a lower bound on the size of G. 

Coppersmith found the cycle lengths for 33 messages which proved that the size of G is at 
least 10 277 . We have found the cycle lengths for 295 additional messages (see Table 2 in 
the Appendix). Combining our results with Coppersmith's yields a lower bound on the 
size of the subgroup generated by the DES permutations of 1.94X10 2499 . This is greater 
than the number of DES permutations, which proves that DES is not closed. Also, meet- 
in-the-middle attacks on DES which would exploit a small subgroup [4] are not feasible. 

It is interesting to note that in the course of investigating the cycle structure of weak and 
semi-weak DES keys in 1986 [5], Moore and Simmons published 5 cycle lengths from 
which one could have concluded that G has at least 2 146 elements and that DES is not 
closed. 

6. Conclusion 

We have given probabilistic evidence as well as conclusive proof that DES is not a group. 
Furthermore, the subgroup generated by the DES permutations is more than large enough 
to prevent any meet-in-the-middle attacks which would exploit a small subgroup. 
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Appendix: Results of Cycling 

For each of 50 randomly selected messages c, Table 1 shows four DES keys k, and / 
such that E/iE^EjiEjiO)))) = c. In each case, the initial message x 0 =0123456789abcdef 
was used. The DES keys in the table include eight parity bits as defined in the DES 
document [3]. The table also shows information from the collision search including the 
decision bit, the leader length X. and the cycle length a. All quantities are shown in 
hexadecimal except the decision bit, X, and u. which are shown in decimal. 

Table 2 lists the cycle lengths obtained by applying the EjZTq permutation to various 
messages. 
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A High-speed DES Implementation 
for Network Applications 



Hans Eberle 

Digital Equipment Corporation, Systems Research Center, 
130 Lytton Ave, Palo Alto CA 94301, USA 

Abstract. A high-speed data encryption chip implementing the Data 
Encryption Standard (DES) has been developed. The DES modes of op- 
eration supported are Electronic Code Book and Cipher Block Chaining. 
The chip is based on a gallium arsenide (GaAs) gate array containing 
50K transistors. At a clock frequency of 250 MHz, data can be encrypted 
or decrypted at a rate of 1 GBit/second, making this the fastest single- 
chip implementation reported to date. High performance and high den- 
sity have been achieved by using custom-designed circuits to implement 
the core of the DES algorithm. These circuits employ precharged logic, 
a methodology novel to the design of GaAs devices. A pipelined flow- 
through architecture and an efficient key exchange mechanism make this 
chip suitable for low-latency network controllers. 

1 Introduction 

Networking and secure distributed systems are major research areas at the Dig- 
ital Equipment Corporation's Systems Research Center. A prototype network 
called Autonet with 100 MBit/s links has been in service there since early 
1990 [14]. We are currently working on a follow-on network with link data rates 
of lGBit/s. 

The work described here was motivated by the need for data encryption 
hardware for this new high-speed network. Secure transmission over a network 
requires encryption hardware that operates at link speed. Encryption will be- 
come an integral part of future high-speed networks. 

We have chosen the Data Encryption Standard (DES) since it is widely used 
in commercial applications and allows for efficient hardware implementations. 
Several single-chip implementations of the DES algorithm exist or have been 
announced. Commercial products include the AmZ8068/Am9518 [1] with an en- 
cryption rate of 14 MBit/s and the recently announced VM007 with a throughput 
of 192 MBit/s [18]. 

An encryption rate of lGBit/s can be achieved by using a fast VLSI tech- 
nology. Possible candidates are GaAs direct-coupled field-effect transistor logic 
(DCFL) and silicon emitter-coupled logic (ECL). As a semiconductor material 
GaAs is attractive because of the high electron mobility which makes GaAs 
circuits twice as fast as silicon circuits. In addition, electrons reach maximum 
velocity in GaAs at a lower voltage than in silicon, allowing for lower internal op- 
erating voltages, which decreases power consumption. These properties position 
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GaAs favorably with respect to silicon in particular for high speed applications. 
The disadvantage of GaAs technology is its immaturity compared with silicon 
technology. GaAs has been recognized as a possible alternative to silicon for 
over twenty years, but only recently have the difficulties with manufacturing 
been overcome. GaAs is becoming a viable contender for VLSI designs [8, 10] 
and motivated us to explore the feasibility of GaAs for our design. 

In this paper, we will describe a new implementation of the DES algorithm 
with a GaAs gate array. We will show how high performance can be obtained 
even with the limited flexibility of a semi-custom design. Our approach was to 
use custom-designed circuits to implement the core of the DES algorithm and 
an unconventional chip layout that optimizes the data paths. Further, we will 
describe how encryption can be incorporated into network controllers without 
compromising network throughput or latency. We will show that low latency can 
be achieved with a fully pipelined DES chip architecture and hardware support 
for a key exchange mechanism that allows for selecting the key on the fly. 

Section 2 of this paper outlines the DES algorithm. Section 3 describes the 
GaAs gate array that we used for implementing the DES algorithm. Section 4 
provides a detailed description of our DES implementation. Section 5 shows how 
the chip can be used for network applications and the features that make it 
suitable for building low-latency network controllers. This section also includes 
a short analysis of the economics of breaking DES enciphered data. Finally, 
section 6 contains some concluding remarks. 

2 DES Algorithm 

The DES algorithm was issued by the National Bureau of Standards (NBS) in 
1977. A detailed description of the algorithm can be found in [11, 13]. The DES 
algorithm enciphers 64-bit data blocks using a 56-bit secret key (not including 
parity bits which are part of the 61- bit key block). The algorithm employs three 
different types of operations: permutations, rotations, and substitutions. The 
exact choices for these transformations, i.e. the permutation and substitution 
tables are not important to this paper. They are described in [11]. As shown in 
Fig. 1, a block to be enciphered is first subjected to an initial permutation (IP), 
then to 16 iterations, or rounds, of a complex key-dependent computation, and 
finally to the inverse initial permutation (IP' 1 ). The key schedule transforms the 
56-bit key into sixteen 48-bit partial keys by using each of the key bits several 
times. 

Figure 2(a) shows an expanded version of the 16 DES iterations for encryp- 
tion. The inputs to the 16 rounds are the output of IP and sixteen 48-bit keys 
^i..i6 that are derived from the supplied 56-bit key. First, the 64-bit output 
data block of IP is divided into two halves Lq and Ro each consisting of 32 bits. 
The outputs L n and Rn of an iteration are defined by: 



L n — Rn-l 

Rn — Ln-\ XOR f(Rn-i, K n ) 
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1 64 
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16 Iterations 







-1 
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Ciphertext 



Key Schedule 



56 



Key 



Fig. 1. Overview of the Data Encryption Standard 



where n is in the range from 1 to 16. At the completion of the 16 iterations the 
two 32-bit words Lie and R\q are put together into a 64-bit block and used as 
the input to IP -1 . 

Figure 2(b) represents the key scheduling algorithm for encryption. The 56- 
bit key first undergoes permuted choice 1 (PCI). The resulting 56 bits are divided 
into two 28-bit entities Co and Dq. The outputs of an iteration C n and D n are 
obtained by rotating C n _i and D n _ x by one or two positions to the left, where 
n is in the range from 1 to 16. The number of left shifts at each iteration is a 
fixed part of the algorithm. After 16 rounds the two halves of the 56-bit key will 
have been shifted by 28 positions, i.e. C 16 equals Co and Die equals Do. The 
key value K n is obtained from C n and D n by choosing 48 bits of the available 
56 bits according to permuted choice 2 (PC2). 

Decryption and encryption use the same data path, and differ only in the 
order in which the key bits are presented to function /. That is, for decryption 
Ki$ is used in the first iteration, Ki$ in the second, and so on, with K\ used in 
the 16th iteration. The order is reversed simply by changing the direction of the 
rotate operation performed on Co. .15 and A). .15, that is, C 0 ..is and Do. .15 are 
rotated to the left during encryption and rotated to the right during decryption. 

Figure 3 describes the calculation of function /. First, the 32 bits of the right 
half R are permuted and expanded to 48 bits by the E bit-selection table (E). 
The expansion is achieved by repeating certain bits. The 48-bit result is then 
XORed with a 48-bit key value K obtained from the key schedule. Next, the 
48-bit output of the XOR operation is split into blocks of 6 bits and delivered 
to eight substitution boxes S\. ,%. Each S box implements a different nonlinear 




Fig. 2. Expanded Version of the 16 Iterations (a) and the Key Schedule (b) for En- 
cryption 
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Fig. 3. Expanded Version of Function / 

function yielding a 4-bit output block. Finally, the 32 bits produced by the 
S boxes undergo one more permutation function (P). 

For enciphering data streams that are longer than 64 bits the obvious solution 
is to cut the stream into 64-bit blocks and encipher each of them independently. 
This method is known as Electronic Code Book (ECB) mode [12]. Since for a 
given key and a given plaintext block the resulting ciphertext block will always be 
the same, frequency analysis could be used to retrieve the original data. There 
exist alternatives to the ECB mode that use the concept of diffusion so that 
each ciphertext block depends on all previous plaintext blocks. These modes are 
called Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB) mode, and 
Output Feedback (OFB) mode [12]. 

Our implementation complies with the NBS DES and supports ECB mode 
and CBC mode. We did not implement CFB and OFB modes because they are 
less useful in network applications. Figure 4 illustrates CBC mode. The plaintext 
p is split into 64-bit blocks p = pip 2 ...p n - The ciphertext block a is computed 
as: 



The resulting ciphertext is c = Cic 2 ...c n . Knowing key k and c 0 , which is 
also known as the initialization vector, the ciphertext can be deciphered by 
computing the plaintext block p< as: 



Ci =DES k { Pi XORa-i) . 
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Fig. 4. Cipher Block Chaining 



3 GaAs Gate Array 

The DES chip is based on a FURY VSC15K gate array from Vitesse Semi- 
conductor [16]. It uses a 0.8 fim GaAs enhancement /depletion mode metal- 
semiconductor field-effect transistor (E/D-mode MESFET) process [17]. The 
array contains 50K transistors on a 8.1mm by 7.1mm die and can implement 
up to 15K unbuffered DCFL 2-input NOR gates. Of more interest to real ap- 
plications, the array has the capacity for 4,000 buffered 2-input NOR gates or 
1,500 D-flipflops. 

Compared with silicon technologies, GaAs DCFL offers higher density than 
silicon ECL, which is the highest-performance bipolar silicon technology, but 
cannot yet compete with silicon CMOS, the densest silicon technology. Presently, 
the densest cell-based GaAs gate arrays offer up to 200K raw gates, while CMOS 
arrays can integrate up to 800K raw gates. It is worth noting that the density 
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of GaAs DCFL is currently increasing more rapidly than the density of silicon 
CMOS. GaAs competes favorably with ECL in that it offers comparable speed, 
but consumes only about half to a third of the power. It remains to be seen how 
well GaAs competes with CMOS. Compared with CMOS, GaAs is faster by a 
factor of two to three at the gate level while power consumption favors GaAs 
only at clock frequencies higher than 100 MHz. 

4 DES Chip Implementation 

This section describes how we implemented the DES algorithm. 
4.1 Organization 

There are two ways to improve an algorithm's performance. One can choose a 
dense but slow technology such as silicon CMOS and increase performance by 
parallelizing the algorithm or flattening the logic. Alternatively, one can choose 
a fast but low-density technology such as silicon ECL or GaAs DCFL. The DES 
algorithm imposes limits on the former approach. As was shown in Fig. 4, the 
CBC mode of operation combines the result obtained by encrypting a block with 
the next input block. Since the result has to be available before the next block 
can be processed, it is impossible to parallelize the algorithm and operate on 
more than one block at a time. It is, however, possible to unroll the 16 rounds of 
Fig. 1 and implement all 16 iterations in sequence. Flattening the design in this 
manner will save the time needed to latch the intermediate results in a register 
on every iteration. Even though the density of CMOS chips is sufficient for doing 
this, the speed requirements of a 1 GBit/s CMOS implementation might still be 
challenging. 

Since we wanted to use GaAs technology, we had to choose a different ap- 
proach. The limited density of GaAs gate arrays forced us to implement only 
one of the 16 rounds and reuse it for all 16 iterations. Even without unrolling 
the 16 rounds, fitting the implementation into the available space and meeting 
the speed requirements was a major challenge. In order to achieve a data rate 
of 1 GBit/s, each block has to be processed in 64 ns, which corresponds to 4ns 
per iteration or a clock rate of 250 MHz. 

The register-level block diagrams for encryption and decryption are shown in 
Figures 5 and 6. The DES chip realizes a rigid 3-stage pipeline, that is, a block 
is first written into the input register I, is then moved into register LR, where it 
undergoes the 16 iterations of the cipher function /, and finally is written into 
the output register O. 

The key schedule is formed by the master key register MK, which holds the 
encryption or decryption key, and a shift register CD, which supplies a different 
key value for each of the 16 iterations. Registers MK and CD can be written but 
not read by external circuitry. This is important since the security of a secret 
key system depends on the security of the keys. If the keys are compromised, 
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Fig. 5. Encryption 



the whole system is. Once a key has been obtained, messages can be decoded or 
forged messages can be injected into the system. 

The diagrams do not show the various permutations that must be applied to 
the data paths since these are accomplished solely with wiring. 

Our implementation of the DES algorithm supports CBC mode. During en- 
cryption, a plaintext data block must be XORed with the previously encrypted 
block before it enters register LR of the encryption stage. During decryption, 
the decrypted block must be XORed with the previously encrypted block before 
it enters the output register O. In addition to the XOR gates, pipeline registers 
I' and I" are required during decryption in order to hold the encrypted version 
of a block. In ECB mode, blocks are not chained, that is, the CBC XOR gates 
are disabled. 

A data path from the output register O to register CD allows for loading a 
key with a block from the data stream. The use of this feature will be explained 
in Sect. 5.1. 
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4.2 Implementation Characteristics 

The implementation of the DES chip contains 480 flipflops, 2580 gates, and 8 
PLAs. There are up to ten logic levels that have to be passed during the 4 ns 
clock period. The chip uses 84% of the transistors available in the VSC15K gate 
array. The high utilization is the result of a fully manual placement. Timing 
constraints further forced us to lay out signal wires partially by hand. 

The chip's interface is completely asynchronous. The data ports are 8, 16, or 
32 bits wide. A separate 7-bit wide port is available for loading the master key. 
Of the 211 available pins, 144 are used for signals and 45 are used for power and 
ground. With the exception of the 250 MHz clock, which is ECL compatible, all 
input and output signals are TTL compatible. 

The chip requires power supply voltages of -2 V for the GaAs logic and 5 V 
for the TTL-compatible output drivers. The maximum power consumption is 
8W. 
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4.3 Asynchronous Interface 

Asynchronous ports are provided in order to avoid synchronization with the 
250 MHz clock. The data input and output registers are controlled by two-way 
handshake signals which determine when the registers can be written or read. 
The data ports are 8, 16, or 32 bits wide. The variable width allows for reducing 
the width of the external data path at lower operating speeds. With the 32-bit 
wide port, a new data word must be loaded every 32 ns in order to achieve an 
encryption rate of 1 GBit/s. The master key register is loaded through a separate, 
also fully asynchronous 7-bit wide port. Our implementation does not check the 
byte parity bits included in the 64-bit key. The low speed of the data and key 
ports makes it possible to use TTL-levels for all signals except for the 250 MHz 
clock which is a differential ECL-compatible signal. 

Thanks to the fully asynchronous chip interface, the chip manufacturer was 
able to do at-speed testing even without being able to supply test vectors at 
full speed. For this purpose, the 250 MHz clock was generated by a separate 
generator, while the test vectors were supplied asynchronously by a tester run- 
ning at only 40 MHz. At-speed testing was essential particularly in testing the 
precharged logic which will be described in the following section. 

Due to the high chip utilization there was no room for test structures like 
scan-paths [9]. A special test mode, however, allows for single-stepping through 
the iterations of the cipher function and reading out intermediate results and the 
state of the control logic after each DES round. Combined with the possibility of 
at-speed testing this technique can provide valuable information about the chip 
internals. 

4.4 Precharged S box 

The core of the DES algorithm consists of eight substitution boxes (S boxes) 
which are part of the cipher function / in Fig. 2(a). Each S box computes a 
different boolean function with 6 inputs and 4 outputs. The most challenging 
and interesting part of the DES chip is to design and implement S boxes that 
are both fast and space-efficient. 

The obvious implementation structure for the S boxes is a programmable 
logic array (PL A). In order to meet space and timing constraints, a precharged 
design using custom macros was chosen. 

Precharging is a well-known design technique for silicon nMOS [5]. It offers 
the density of unbuffered gates and the speed of buffered gates. For FURY gate 
arrays, the difference in cell count between buffered logic versus unbuffered logic 
typically is a factor of four. The goal of precharged logic is to overcome the slow 
rise time of unbuffered gates that must drive large capacitive loads. The rise time 
of an unbuffered gate can be as much as ten times the fall time when driving 
a significant amount of metal because of the weak pullup transistors used in 
DCFL. 

Figure 7(a) shows the basic building block of precharged Nor-Nor logic. 
The first-level gates have an extra input for the precharge signal, while the 
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Fig. 7. Precharged NOR-NOR Logic (a) and Timing (b) 



second-level gates have an active pullup connected to the output. As shown 
in Fig. 7(b), precharged logic operates in two phases: a precharge phase and a 
compute phase. During precharge, when the precharge signal is high, the outputs 
of the first-level gates are forced to a low level, while the active pullups will force 
the outputs of the second-level gates to a high level. During the compute phase, 
when the precharge signal is low, the outputs of the first-level gates stay low 
or go high while the outputs of the second-level gates stay high or go low. The 
first-level gates are placed adjacent to the second-level gates to make the rising 
edges of the first-level gates fast. The second- level gates are equipped with an 
active pullup to drive large capacitive loads. In a typical application several basic 
blocks are chained together. Notice that the slow low-to-high transitions for the 
second-level gates will occur in parallel during the precharge phase. During the 
compute phase, the long wires of the logic chain propagate only falling edges, 
which are fast. The penalty of this design technique is the time required for 
precharging. The precharge phase has to be long enough to charge the worst- 
case capacitance driven by any second-level gate. Therefore, the more levels of 
logic, the bigger the gain in performance. 

The S box implementation shown in Fig. 8 contains two levels of precharged 
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Fig. 8. Precharged S box 

Nor- Nor logic: a 4-input NOR gate driving an inverter followed by a 2-input 
NOR gate driving from zero to four pulldown transistors. The row decoder uses 
two 3:8 decoders in order to save space. By using precharged logic, the S boxes 
occupy less than 10% of the die area. If standard macros were chosen, the S box 
implementation would require 5.5 times as many cells. An implementation with 
available macros would not have fit into the chosen gate array. 

Contrary to the results obtained by analog simulations of the S box, the first 
implementation exhibited a discharge problem, which caused the chips to fail 
at high temperature. The discharge problem affected the last stage of the PLA 
structure in Fig. 8, which corresponds to a 32-bit wide NOR gate. The models 
of the pulldown transistors provided by the chip manufacturer basically ignored 
leakage currents. This caused the output of the PLA to drop from a high to a 
low level before the compute phase was over. Since leakage is proportional to 
temperature, the discharge problem was even worse at higher temperatures. The 
problem can be eliminated by lowering the voltage of the low level of the gates 
driving the 32-input NOR gate and thereby turning off the 32-input NOR gate 
harder. This requires a major change of the driving circuitry. Due to space con- 
straints, we decided to improve the drop rate by simply changing the precharge 
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pullup of the 32-input NOR gate. A current source in the form of a D-mode 
FET was added to the existing active pullup transistor in order to compensate 
for the leakage current. 

4.5 Floorplan 

The usual choices when laying out a pipelined design are to partition the logic 
either into register slices or bit slices. The various permutations of the data paths 
contained in the DES algorithm complicate this task. The permutation tables 
employed by the DES algorithm are the so-called initial permutation (IP), the 
E bit-selection table (E), the permutation function (P), and a pair of permuted- 
choice tables (PCI, PC2). Some of the tables not only permute the input bits 
but also duplicate or omit input bits and, thereby, expand or shrink the input 
string. The wiring of the data paths, however, is not as badly scrambled as one 
might fear. IP, IP -1 , and PCI affect the wiring of the input and output pads 
only, not the wiring of the critical path, the iteration feedback loop. Fig. 9 shows 
one DES iteration. The wires belonging to the critical path are highlighted. This 
feedback loop contains two permuted data paths: permutations E and P. 



from I from I 




to O to O 



Compute 



Fig. 9. One DES Iteration 

While previous implementations have chosen a register-sliced layout [7, 15], 
we preferred a mixed strategy. As shown in Fig. 10, we first divide the design into 
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blocks corresponding to the eight S boxes. We further subdivide each block into 
four bit slices each containing one bit of the left and the right half of registers I, 
I', I", LR, and O. The register bits are laid out so that the wires connecting the 
outputs of the S boxes and the inputs of LR are as short as possible. Referring 
to Fig. 9, the only scrambled data path is permutation E which connects the 
outputs of R with the inputs of the XOR gate. These wires potentially have to 
go all the way across the chip. In our implementation, the longest of these wires 
is 6 mm long. The time to drive these wires is significant. However, driving these 
long wires happens at the beginning of a clock cycle and, therefore, coincides 
with the precharge phase. Thus, there is no data path with long wires that would 
contribute to the cycle time of the critical path. 
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The key bits of register CD are laid out so that the wires connecting CD and 
the XOR gates are kept as short as possible. This scrambles the wiring of the 
key schedule (which implements two 28-bit wide registers that can be rotated 
by one or two bits either to the right or to the left). The timing of these wires 
is, however, not critical since the only logic this path contains is a multiplexer 
that implements the rotate function. 

The control signals are generated in the middle columns of the chip. Drivers 
are duplicated; that is, there are separate drivers for each side of the chip in 
order to reduce the load and wire length and with it the propagation delay. 

5 Applications 

We now discuss applications of the DES chip, which is intended primarily for 
use in network controllers. 

5.1 Low-latency Network Controller 

Our implementation of the DES algorithm is tailored for high-speed network 
applications. This requires not only encryption hardware operating at link speed 
but also support for low-latency controllers. Operating at link data rates of 
lGBit/s requires a completely pipelined controller structure. Low latency can 
be achieved by buffering data in the controller as little as possible and by avoiding 
protocol processing in the controller. In this respect, the main features of the 
DES chip are a pipelined flow-through design and an efficient key exchange 
mechanism. 

As described in the previous section, the chip is implemented as a rigid 3- 
stage pipeline with separate input and output ports. Each 64-bit data block is 
entered into the pipeline together with a command word. While the data block 
flows through the pipeline, the accompanying command instructs the pipeline 
stages which operations to apply to the data block. On a block-by-block basis it 
is possible to enable or disable encryption, to choose ECB or CBC mode, and to 
select the master key in MK or the key in CD. None of these commands causes 
the pipeline to stall. It is further possible to instruct the pipeline to load a block 
from the output register O into register CD. Typical usage of this feature is as 
follows: a data block is decrypted with the master key, is loaded into CD, and is 
then used for encrypting or decrypting subsequent data blocks. This operation 
requires a one-cycle delay slot; that is, the new key in CD cannot be applied to 
the data block immediately following. 

The format of packets transmitted over the Autonet network efficiently uses 
the described architecture allowing for very low-latency controllers. The data 
flow of a packet transmission is as follows. With the help of a public key algo- 
rithm, a sender S and receiver R first exchange a key K that will subsequently 
be used for encrypting packets. Sender and receiver encrypt this key under their 
master keys and exchange the resulting values. Both store copies of [K]mks an( i 
[K]mkr in their memories. MKS is the master key of S and MKR the master 



536 





Control Block 


M MKS 






Packet Header 


[K] MKR 




[Data] K 


Packet Data 



Fig. 11. Packet Format 

key of R. Note that a plaintext version of K is not stored in either memory. 
The transmission of the actual data can now begin. The data flow through the 
sendei's and receiver's DES chips is as follows. 

Figure 11 shows the data that flows through the DES chip in the sender. 
First, a control block containing the key needed for encrypting the data part 
of the packet will be read from host memory and be presented to the sender's 
DES chip. The DES chip will decrypt [K'mks and load the resulting key value K 
into key register CD. The control block will not be sent to the network since it 
contains only information required by the sender. Next, the header of the packet 
containing [K'mkr will pass through the DES chip without being manipulated, 
followed by the data, for which encryption and CBC mode are enabled. Both 
header and encrypted data will be sent over the network to the receiver. 

When the header of the packet flows through the receiver's DES chip, [K]mkr 
will be picked out of the header, decrypted, and loaded into register CD. When 
the data part begins, decryption and CBC mode will be enabled. Note that in 
order to obtain key K, the receiver did not have to access memory or halt the 
DES pipeline. 

5.2 Breaking DES 

In 1979, Hellman published a paper with the title 'DES will be totally insecure 
within ten years' [6]. The controversy comes from the rather short length of the 
DES key, which could make an exhaustive search of the key space feasible [3, 4], 
In 1977, Diffie and Hellman proposed a machine consisting of 1 million pro- 
cessors that would each be able to try 1 million keys per second. At an estimated 
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cost of $20M this machine would exhaust the key space in 20 hours [4]. In 1984, 
Hoornaert, Goubert, and Desmedt proposed a machine consisting of 25,000 de- 
vices that would each be able to try 1.13 million keys per second. At an estimated 
cost of $1M this machine would exhaust the key space in about 4 weeks [7]. 

This section compares the length of time taken by our implementation to 
break DES with the time taken by two other popular implementations [1, 18]. 
We assume a known-plaintext cryptanalytic attack as described in [4]. The search 
starts out with one or several corresponding plaintext-ciphertext blocks, all en- 
crypted under the same key. The attack is based on brute force in that key after 
key of the key space, which contains 2 56 — 7.2 x 10 17 elements, is tried. Once the 
key is broken, messages can be forged or cryptograms for which the plaintext is 
not known can be read. 

The data given in Table 1 illustrates the economics of breaking DES. As 
expected, the cost per GBit/s of decryption bandwidth and the time required 
for doing an exhaustive search drop with more recent implementations. The 
given duration for doing an exhaustive search assumes that one is willing to 
spend $1M on DES chips alone. The necessary support circuitry might easily 
double that figure. The given cost per chip assumes quantities of thousands. 



Part \ 


Year 


Technology 


Data Rate 


Cost/ Chip 


Cost/GBit/s 


Exh. Search 


Am9518 


84 


Silicon nMOS 


14MBit/s 


$19 


$1357 


72 days 


VM007 


92 


Silicon CMOS 


192 MBit/s 


$170 


$885 


47 days 


GaAs DES 


92 


GaAs DCFL 


1 GBit/s 


$300 


$300 


16 days 



Table 1. Cost of Breaking DES 



For our implementation, it takes 16 days to try 2° 6 keys or an average of 8 
days to find the key. With the separate key port our chip would be well suited 
for breaking DES in that the key could be easily changed every decryption cy- 
cle without stalling the pipeline. Moreover, the use of field-programmable gate 
arrays in our network controllers would easily allow for turning a network of 
controllers into a distributed machine for breaking DES. We believe that the full 
decryption bandwidth of 1 GBit/s per chip could be achieved without having to 
modify existing hardware. Therefore, a network of 10,000 machines each con- 
taining two DES chips to encrypt data full duplex at 1 GBit/s would exhaust 
the key space in 2 days and 16 hours. 

Biham and Shamir recently showed that DES can be broken in less than the 
2 56 DES operations required for an exhaustive search [2]. The cryptanalytical 
attack consists of a data collection phase during which a pool of 2 47 chosen 
plaintext blocks are encrypted and a data analysis phase which consists of 2 37 
DES-like operations. The proposed attack will not be further considered here 
since it cannot make use of existing DES implementations and since the practi- 
cability of the data collection phase is questionable. 
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6 Status and Conclusions 

We began designing the DES chip in early 1989 and received the first prototypes 
at the beginning of 1991. The parts were logically functional, but exhibited 
electrical problems and failed at high temperature. A minor design change fixed 
this problem. In the fall of 1991, we received 25 fully functional parts that we 
plan to use in future high-speed network controllers. 

With an encryption rate of lGBit/s, the design presented in this paper is 
the fastest DES implementation reported to date. Both ECB and CBC modes 
of operation are supported at full speed. This data rate is based on a worst case 
timing analysis and a clock frequency of 250 MHz. The fastest chips we tested 
run at 350 MHz or 1.4GBit/s. 

We have shown that a high-speed implementation of the DES algorithm is 
possible even with the limited flexibility of a semi-custom design. An efficient im- 
plementation of the S boxes offering both high performance and high density has 
been achieved with a novel approach to designing PLA structures in GaAs. An 
unconventional floorplan has been presented that eliminates long wires caused 
by permuted data bits in the critical path. 

The architecture of the DES chip makes it possible to build very low-latency 
network controllers. A pipelined design together with separate fully asynchronous 
input and output ports allows for easy integration into controllers with a flow- 
through architecture. ECL levels are required only for the 250 MHz clock; TTL 
levels are used for all the data and control pins, thus providing a cost-effective 
interface even at data rates of 1 GBit/s. The provision of a data path for loading 
the key from the data stream allows for selecting the encryption or decryption 
key on the fly. These features make it possible to use encryption hardware for 
network applications with very little overhead. 
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Abstract. When a shadow of a threshold scheme is publicized, new 
shadows have to be reconstructed and redistributed in order to maintain 
the same level of security. In this paper we consider threshold schemes 
with disenrollment capabilities where the new shadows can be created 
by broadcasts through a public channel. We establish a lower bound on 
the size of each shadow in a scheme that allows L disenrollment s. We 
exhibit three systems that achieve the lower bound on shadow size. 

1 Introduction 

In safeguarding a secret, there are many situations where two or more guardians 
provide more security than only one. Common examples can be found in safe 
deposit boxes and in the control of nuclear weapons. In these cases, two keys 
are needed to activate the control mechanism; the ability to exercise shared 
control is lost if either key is lost or either key's owner is incapacitated. To guard 
against such a loss, copies of keys or instructions may be made and distributed to 
different parties. However, increasing the number of distributed copies increases 
the risk of some copy being compromised, thus reducing the security of the 
system. By distributing "shadows" of a shared secret (which can be used as a 
key),threshold schemes allow shared control without risking compromise of the 
secret. 

Let 5 be a secret which needs to be protected. The secret S is concealed 
among n different shadows in such a way that: 

1. For some threshold t,t < n, called the "threshold size", any t shadows de- 
termine the secret S. 

2. No t — 1 or fewer shadows uniquely determine the secret. 

The secret 5 is secure against the collusion of any t — 1 or fewer owners of 
shadows, and the scheme is protected against the loss of any n — t shadows. 

Blakley[l] published a, (t,n) threshold scheme using hyperplanes. Shamir[7] 
proposed a threshold scheme using polynomials over a finite field. Various other 
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schemes (using vector spaces, combinatorial designs, finite geometries and Reed- 
Solomon codes) exist [3, 4, 6, 9]. Schemes with the property that the disclosure 
of t — lor fewer shadows does not reveal any information about the secret are 
called perfect threshold schemes. 

The disclosure of a shadow decreases the security against collusion of a thresh- 
old scheme since every t — 1 remaining shadows, together with the disclosed 
shadow, determine the secret. Thus, the threshold is reduced from t to i — 1. 
In order to maintain the same threshold t, the key must be changed and the 
shadows modified. One way to do this is to design a new (t, n) scheme where 
shadows are then distributed through secure channels. The security of the new 
system is not compromised if the new shadows are independent of the disclosed 
shadow. However, setting up the secure channels for distributing shadows can 
be expensive. 

This paper considers schemes which distribute modifications to existing shad- 
ows through insecure channels. Such a scheme is said to have a disenrollment ca- 
pability. Section 2 gives an information theoretic definition of threshold schemes 
with such a disenrollment capability and establishes a lower bound on the size 
of each shadow. Section 3 gives three examples of implementations that achieve 
the lower bound. The Brickell-Stinson Scheme[2] depends on the existence of a 
random number generator. The Nonrigid Hyperplane Scheme extends the orig- 
inal Blakley[l] Scheme to allow disenrollments. Finally, the Martin Scheme[5] 
makes use of threshold schemes with higher thresholds and reduces the cost of 
each public broadcast. 

2 Information Theory and Lower Bound 

A (t, n) threshold scheme distributes partially redundant shadows Si,...,S n 
among n users so that any t or more shadows uniquely determine the secret 
K. The random variable K representing the secret takes values in the space IK. 
The random variables 5i, S n representing the shadows take values in a space 
S. Using the entropy or "uncertainty" function H{X) introduced by Shannon[8], 
we have the following definitions. 

Definition 1. A (t,n) threshold scheme is a collection of random variables 
(K, Si,..., S n ) such that for any 1 < ii < i? < ... < ij < n, 



Condition (1) says that every set oit or more shadows determines the secret 
uniquely, whereas condition (2) indicates that the secret cannot be uniquely 
determined by fewer than t shadows. A (t,n) threshold scheme is said to be 
perfect if 



H(K\S ill ...,S ij ) = 0 
HiKlS^.^S^X) 



Vj > t, 
Vj < t. 



(1) 
(2) 



H(K\Si 



k l ,...,S i ,) = H(K) 



Vj < t. 



(3) 
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Condition (3) says that knowledge of fewer than t shadows does not reduce one's 
uncertainty about the secret. 

Let us consider the case where one shadow, say Si, is disclosed or invalidated. 
In order to maintain the threshold level at t, a new secret key has to be chosen 
and new shadows have to be constructed. If information on the new shadows 
can be distributed through a public channel without compromising the secrecy 
of the new key, then such a (f , n) threshold scheme is said to have a 1-fold 
disenrollment capability. If L + l secrets can be chosen so that, while disenrolling 
L shadows successively, the broadcast public messages do not compromise the 
secrecy of the new key, then such a (t, n) threshold scheme is said to have an L- 
fold disenrollment capability. An information-theoretic model of such a scheme 
is given below. 

Let Ko,Ki, ...,Kl denote the L + l secrets. Let Si, ...,S n represent the shad- 
ows, any t of which determine the original secret key Ko ■ Without loss of gen- 
erality we may assume that Si corresponds to the shadow that is invalidated 
at the i-th disenrollment, i = 1, L. Let Pi, Pt denote the public messages 
that are broadcast successively at each disenrollment step. Note that each P,- 
may include informations obtained from the revealed shadows, Si,..., Si- 

Definition 2. A (t, n) threshold scheme with L-fold disenrollment capability is 
a collection of random variables (K 0 , K\, Kl, Si,...,S n ,Pi,..., Pi) such that 
for each i, i = 0, L, 

H{Ki\Ai{k), Pi, .... Pf) = 0 V* > t, (4) 

H(K i \A i (k),P u ...,P i ,Si,...,S i )>0 Vft<t, (5) 

where Af(k) = {S^, S ik } C 5, +2 , S n }. 

Definition 3. A (t,n) threshold scheme with L-fold disenrollment capability is 
said to be perfect if 

H(Ki\Ai(k), Pi, P f , Si, .... Si) = H{Ki) V* < t. (6) 

Let us assume that H(Ki) = m bits. For a perfect [t,n) threshold scheme 
with L-fold disenrollment capability, conditions (4) and (6) can then be expressed 
in terms of mutual information as 

I(K i ;A i (k),P 1 ,...,P i ) = m if k>t (7) 

I(K i ;A i (k),Pi,...,P i ,Si,...,S i ) =0 if k<t (8) 

respectively, where we remind the reader that by definition, 

I(X;Y) = H(X) - H{X\Y) = H(Y) - H(Y\X). 

In order to minimize the cost of distributing shadows through secure chan- 
nels, we wish to minimize the number of bits required to encode each shadow. 
It is conceivable that a (t, n) threshold scheme with higher disenrollment capa- 
bility requires higher overhead for encoding the shadows. The following theorem 
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shows that this is indeed the case by establishing a lower bound on the number 
of bits required to encode a shadow that grows linearly with the number L of 
disenrollments. 

Theorem4. Let (K 0 , K x , K L , Si , S n , Pi , •••>Pl) ^ e a perfect (t,n) thresh- 
old scheme with L-fold disenrollment capability. If H(Ki) = m, for i = 0, L, 
then 

H(Sj)>(L+l)m Vj = l,...,n. 

To prove the theorem, we first establish that the knowledge of previous secret 
keys and the public messages, together with any t — 1 shadows, provides no 
information about the new secret. 

Lemma 5. For L > i i > 0, 

I(Ki-K 0 , K u ..., Ki-^Aik), Pi, Pi, Si, ...,Si) = 0 if k < t - 1. (9) 

Proof. Recall from information theory that conditional mutual information is 
defined as I(X;Y\Z) = H(X\Z) - H(X\Y,Z) = H(Y\Z) - H(Y\X,Z) and 
satisfies the identity I(X,Y; Z) - I(X; Z) + I{Y; Z\X). Thus, 

I{Ki;K 0 , Ki,.. .JU-i, Ai{k),P u ..., P h Si,..., Si) 
= I(K i ;A i (k),P 1 ,...,P i ,Si,...,S i ) 

+I(K r ,K 0 , if,_i|A(*), Pi, Pi, Si,..., Si). 

If we can show that I(Ki\K Q , if,-_i|Z\,-(Ar), Pi, Pi, Si, Si) = 0 when k < 
t — 1, then (9) follows directly from (8). But 

I{Ki- K 0 , Ki_i\Ai(k), Pi, P h Si, Si) < H(Ki\Ai(k), Pi,..., P u Si, Si) 
and H(Ki\Ai{k), Pi, Pi, Si,..., Si) = 0 by (4), so the desired result follows. 

□ 

We next observe the following identiy. 
Lemma 6. For j > i + 1, 

I(Ki ; Sj \Ai(t - 1), P X) .... Pi, K 0 , .., Ki-i) = m. 

Proof 

I(Ki;Sj\Ai(t - 1), Pi, Pi, K 0 , Ki-i) 
= I{Ki; Sj, M* -1), Pi, ->Pi,Ko,. 

-I(Ki ; Ai(t - 1), Pi, P u K 0 , ., Ki-i) 

= /(XiiAW.Pi,.,^,^,.,^-!) 

— m. 

The second equality is obtained because j > i + 1 and thus joining Sj with 
Ai(t — 1) gives a set Ai(t) for use in (7), and by noticing that the second term 
in the previous equation is 0 from Lemma 5 because mutual information is 
nonnegative and I(X;Y) < I(X;Y,Z). The last equality is obtained directly 
from Lemma 5. □ 
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Proof of theorem. We first observe that for j = l,...,n, we may choose S, = 
Sl+i- Thus H(Sj) = H(Sl + i) and we need to show only that H(Sl+i) > 
(L + l)m. Now, 

>H(S L+ i\A L (t-l)) 

> H(S L+l \A L (t - 1)) - H(S L+1 \P lf .... P L ,K 0 , .., K L , A L (t - 1)) 
= /(ft , .... Pl, Ko, K L ; S L +i\A L (t - !))• 

If we can show that the last quantity is at least (L + l)m, then the theorem is 
proved. But 

HPi Pl, Ko,..., K l ; S L+1 \A L {t - 1)) 

L 

= Y,I(Pi\S L +i\Ai(i ~ l),Pi,..,Pi-i) 
i=i 

L 

+ ^ I(Ki;S L+l \A L (t - 1), P lt Pi, K 0 , Ki.{) 

L 

> Y I(Ki;S L+1 \A L (t - 1), P x , Pi, K 0 , .., Ki-{) 

i=0 

= (L+ l)m 

where the last equality is obtained directly from Lemma 6. □ 

We have shown that if a (t, n) threshold scheme can disenroll L participants, 
then each secret shadow must contain at least (L + l)H(K 0 ) bits. In the next 
section we exhibit three examples of such threshold schemes where each shadow 
contains exactly (L + l)H(Ko) bits. 

3 Threshold Schemes with Disenrollment Capability 

In this section we will exhibit three examples of perfect (n,t) threshold schemes 
that allow disenrollments and achieve the lower bound on shadow size established 
in the previous section 

3.1 Brickell-Stinson Scheme[2] 

Let (K,S\, ..-,Sn) be a perfect (n,t) threshold scheme, where K represents 
the secret chosen from DC and 5< represents a shadow chosen from S. We further 
assume that H(K) = m. An (n, t) threshold scheme with L-fold disenrollment ca- 
pability (/To, K L , Si , S n , Pi, Pl) can be constructed from (K, Si, S n ) 
as follows: 

• Each Ki represents a secret chosen uniformly from K. 
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• Each Si represents a shadow Si — (Si,Ri,i, Ri,L) where each Rij is a 
random binary string of length m. 

• When Si is invalidated, a new key Ki is chosen and associated with it are 
the new shadows — ,£>,} that are formed as specified by the original 
(n,t) threshold scheme. The public message P, that is broadcast through the 
public channel is the union of messages of the type 

+ S}+l> Ri+2,i + 5<+2i —>Rn,i + 

Note that each Rij is a random string and can be considered as a one- 
time pad that protects the shadow Sj; thus, H(Sj) = #(Sjl-Pi) and H(K ( ) = 
H(Ki\Ai(k),Pi,...,Pi) for k < t. Furthermore, it is easy to check that each 
shadow contains (L + l)m bits which is the lower bound given in Section 2. So, 
we have the following theorem. 

Theorem 7. The Brickell-Stinson scheme is a perfect (n,t) threshold scheme 
with L-fold disenrollment capability that achieves the lower bound, H(Sj) — 
(L + l)m. 



3.2 Nonrigid Hyperplane Scheme 

For simplicity we first consider the case where L — t — 1; the cases where 
L ^ t — 1 can be similarly designed and will be discussed later. Let M be the 
collection of all hyperplanes in a t-dimensional vector space E over GF(q). The 
1 ^erplanes represented by the rows of an n by t + 1 augmented matrix 



A = 



01,2 • • • ai.t-i 1 h 

^2,1 <*2,2 • ' • 0-2,1-1 1 &2 



(10) 



.an,l an, 2 • - ' On,i-l 1 &n . 

must be in general orientation, that is, the unaugmented n by t matrix 



U(A) = 



<*i,2 • • • a-i,t-i 1 

^2,1 02,2 • 1 ' 02,^-1 1 

a n ,i a n ,2 • • • a„ it _i 1_ 



(11) 



must have the property that every one of its t by t submatrices is nonsingular. 
The intersection of the hyperplanes corresponding to any t or more rows of this 
matrix is a point v, whose first coordinate is the secret Ko- The intersection of 
hyperplanes corresponding to any collection of fewer than t rows must intersect 
in an affine subspace consisting of points which do not all share a common first 
coordinate. Equivalently, the vector (10. ..0) must never appear as a row in the 
row reduced echelon form of any j by t submatrix of U (A) given in (11) if j < t. 

Let Ki correspond to the first coordinate of an arbitrarily chosen point t>< in 
the vector space E. Corresponds to every point v' in E, there is a translation 
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of hyperplanes such that the new point of intersection is the point v'. Each 
shadow Sj is given by the j-th row of the matrix A in (10). Clearly, every 
shadow consists of t log 2 q bits, which is the lower bound given in Section 2. On 
revealing Sj , the public information Pj is the collection of translations of the 
unrevealed hyperplanes, that is, {cjj+i, cjj+2, Cj itl } such that the i-th newly 
translated hyperplane can be easily computed by converting the last entry in A 
to bi + cjj. 

Theorem 8. The nonrigid hyperplane scheme is a perfect (n,t) threshold scheme 
with t-fold disenrollment capability that achieves the lower bound, H(Sj) = 
tlog 2 q. 

Proof. To show that the hyperplane scheme is a perfect (n,t) threshold scheme, 
we need to show that every key in IK remains equally probable after each disen- 
rollment. Let I be a 1-dimensional subspace in E determined by t— 1 hyperplanes 
in Ai(t — 1), and let {t>o, . . . , be the chosen points in E that correspond to 
the known secrets Kq, . . ., ifj-i as denned above. For each each j > i, the trans- 
lations of these chosen points given by V = {v 0 , v\ — (0, ... , ci j), . . . , - 
(0, . . . , Ci-ij)} must be contained in the hyperplane corresponding to partici- 
pant j. Since t < t — 1, for every point p £ I and every j > i, there exists a 
hyperplane Hj € H that contains the point p and the corresponding translated 
points in V. In other words, every p € I can be the chosen point Vi and every 
key can be the new secret. Thus, the entropy of every key remains the same and 
(6) is established. □ 

In the case where the number of disenrollment L is less than t — 1 , we publish 
t — l — L columns of the matrix U (A) in (11) and still maintain the same perfect 
threshold scheme properties. If L is greater than t — 1 , then we use the additional 
columns to store informations about changing the orientation of each of the 
hyperplane after each disenrollment. Consider L = t + x,x>0 and the matrix 
in (10) representing the shadows is then given by 

<Ji,2 ■ ■ • «i,t+x 1 &i 
a 2j i a2,2 • ■ • a2,t+x 1 h 

■ ■ (1^) 

.Gn,l On,2 • • • dn,t+x 1 b n 

After t disenrollments, each new hyperplane is then given by (aj io , . . . ,a,j it _ 3 , 1, 
bj + Cij) where i m — l + (i+m mod t + x) and c,-j isthe corresponding broadcast 
translation. Such a scheme can be shown to be perfect by using similar arguments 
as above. 

3.3 Martin Scheme[5] 

Every (n,t + i) threshold scheme, i > 0, can be used as an (n,r) threshold 
scheme by publishing t additional shadows from the shadow space S. Thus, 
any t or more shadows together with the t published shadows can uniquely 
determine the secret. Based on the above notion, an {n,t) threshold scheme 
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with L-iold disenrollment capability (K 0 , ■ ■ ■ , Kl , Si , • - . , S„ , Pi , . . . , Pl ) can be 
constructed from L + 1 randomly chosen perfect (n, t + L) threshold schemes 
(Ki , S[, . . . , S^), i = 0, . . . , L as follows: 

• Each Ki represents a secret chosen from the key space, IK. 

• Each 5; represents a shadow of the form (Sf, Sj , . . . , S^) where each S\ is 
a shadow from the j-th (n, t + L) threshold scheme, (Kj , S[ , . . . , S£). 

• When Si is invalidated, the new key K{ is used and associated with it, L 
additional "new" shadows have to be published. Among these L additional 
shadows are the revealed shadows, S[ , 5^, . - . , S}. 

Since all the L + 1 keys, if 0 , K± , . . . , Ki, are independent of one another, the 
disclosures of Kj and S\,t > 1, give no information on if,-, as long as i ^ j. 
However, the disclosed shadows, S[, . . . , S) , together with L+t-i other shadows 
can uniquely determine the key Ki . Thus, only L — i additional shadows from S 
are needed to be broadcast through the public channel, and we have the following 
theorem, 

Theorem 9. The Martin scheme is a perfect (n,t) threshold scheme with L-fold 
disenrollment capability that achieves the lower bound, H(Si) = (L + l)H(K{). 

We can further modify the Martin Scheme to reduce the size of the public 
broadcast after each disenrollment. Specifically, we randomly choose an (n,t + i) 
threshold scheme (instead of an (n,^) threshold scheme), for 0 < i < L. After 
the i'-th disenrollment, we use the i revealed shadows S[ , . . . , S\ as the addi- 
tional shadows required to be published, thus reducing the size of the broadcast 
message. 

4 Conclusion 

We have established a lower bound on the initial overhead required for (n,t) 
threshold schemes that allow disenrollments and have given three examples of 
such implementations. We further modify the Martin Scheme to reduce the cost 
of broadcasting the public informations. An interesting open question remained 
to be solved is "What is the lower bound on the entropy of the public broadcast" . 
We conjecture that the lower bound is given by 

Conjecture. For 0 < i < L, 

H{Pi) > iH(K). 
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Abstract. Homomorphic threshold schemes were introduced by Be- 
naloh and have found several applications. In this paper we prove that 
there do not exist perfect finite homomorphic general monotone sharing 
schemes for which the key space is a finite non-Abeiian group 'except 
for very particular access structures}. This result is valid for the most 
general case, e.g., if each participant receives shares from different sets 
and when these sets are not necessarily groups. 

We extend the definition of homomorphic threshold scheme to allow ihat 
the homomorphic property is valid for two-operations VVhen the set of 
keys is a finite Boolean Algebra or a Galois field then there does not exist 
a perfect finite two-operation-homomorphio general sharing scheme. 

1 Introduction 

General sharing schemes [13] allow a distributor to distribute shares of a (secret) 
key to a set of participants (shareholders) A, such that when an authorized 
subset of participants. B. join their shares they can recompute the key. The set 
of authorized subsets (of A) is often called the access structure and denoted 
as Fa- A sharing scheme is perfect when a subset of B which is not in the 
access structure has no (additional) information about the (secret) key. Sharing 
schemes are a generalization of threshold schemes [5, 17] in which only subsets 
of A with cardinality greater than or equal to a threshold t are in the access 
structure. 

Benaloh [3] introduced the concept of homomorphic sharing scheme. In such 
a scheme when a participant i has a share .s; of the key k and a share s[ of 
the key k' , then s" — s, ■ s[ is a share of k * k' . When all participants in B 
compute their s" from their shares $, and and join these shares .s" they 
can compute k * k' . The first application of homomorphic sharing schemes was 
used to set up secret ballot election schemes [3]. Recently, the interest in this 

* This work has been supported by NSF Grant NCR-9106327 and INT-9123464. Part 
of this work was performed while visiting Royal Holloway-University of London. 
"* Part of this work was done while visiting the University of Wisconsin-Milwaukee. 
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topic was revived when it was used to set-up non-interactive threshold signature 
and threshold authentication schemes [8] (see also [7, 12, 16, 15]). With these 
schemes, the shares used to authenticate M (i.e., to calculate hk{M)) should 
not provide a subset of shareholders not in the access structure with the ability 
to authenticate M' {i.e., to calculate hk(M'j). The non-interactive aspect was 
obtained by having each participant in B send h' s (M) to a combiner where s,- 
is the participant's share of the secret, key k. From these h' s (M) the combiner 
could calculate hk(M) without finding k. 

In [8], /ijfc(-) corresponded with RSA or an unconditionally secure authenti- 
cation scheme. A natural open problem is whether this can be extended to any 
Boolean function. This would imply that shareholders could compute m a non- 
interactive way a deterministic function /i«(T), where / is given and k is the se- 
cret, by just using their shares of k. In the context of [18, 11. 6] we could call this 
application a non-interactive mental game (observe that there is no random in- 
put to hk{I)). Similar research has been done with secure circuit computation in 
an unconditionally secure model [2. 6] (which is also called a non-cryptographic 
model). Many schemes using the unconditionally secure model use a homomor- 
phic sharing scheme with key space a finite Boolean Algebra (Galois field) for 
the XOR (addition) operation in the circuit (function) but the AND (multipli- 
cation) operation uses an interactive protocol. If a two-operation-homomorphic 
sharing scheme couid be produced, then the communication complexity ^10] of 
these schemes would be greatly improved. In this paper we prove that there is no 
perfect finite two-operation-homomorphic non-trivial monotone sharing scheme 
when the set of secrets is a unite Boolean Algebra or a Galois field, implying 
that the technique presented in [81 has a limited scope. 

We also prove that there is no perfect finite sharing scheme when the set of 
keys is a finite non-Abelian group (except for very particular access structures). 
We remind the reader that, the set, ,S'„ of permutations of n elements form a 
group (which is non-Abelian when n > 3) and that permutations are a key 
element in developing conventional cryptosystenis {e.g., consult [14]). 

2 Definitions and Notations 

We now define a general sharing scheme [13]. 

Definition 1. Let A" and .4 be sets respectively called the set of keys and the 
set of participants. For simplicity of notations we assume that A = { 1 , . . . , |.4|}. 
For each i £ A we have the set Let ( ', called the set of codewords be a subset 
of Si x ... x ,S'| -4 | and / : C K be a function. Let B — ■ where 

B C A. For each B we define g B : C — S\ x x . . . x Si ]Bj : c = (.s 1; . . . , .Sj 4 |) — >• 
(«f, , . . . , *t| e |)- We define the relation Fig between grg(C) and A" as Rb — {(a, k) | 
3c £ C : a = </s(c) and k — /(c)}. When r.\ C V(A) (the power set of .4). then 
(r.4 , A". C, /) is a general monotone sharing scheme if: Vfi £ l\\ : Rb i- s a 
function from g B {C) onto A. If so, we denote Rb by f B . Observe that, from the 
definition of /o, if B £ F A then B 1 £ f' A for any B' with A D B ! D B. 
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key 


l's share 


2's share 


3's share 


0 


0 


0 0 


0 0 


0 


0 


0 1 


1 0 


1 


0 


1 0 


] ! 


1 


0 


1 ! 


0 1 


1 


1 


0 0 


1 0 


1 


1 


0 1 


0 0 


0 


1 


1 0 


0 1 


j 0 


1 


\ 1 


1 1 



Table 1. An example off in a homomorphic sharing scheme. 



Informally when a distributor gives shares of k he chooses a codeword c such 
that /(c) = k. Any subset D of A in the access structure can compute k uniquely 
using fg on their shares which are elements of Si. Due to [4] we allow the set 
of potential shares to be different. Observe that we allow that (' is a proper 
subset of ,S'i x ... x S\ A \, implying that given any , . . . , .<s i(Bj there does not 
necessarily exist a codeword efor which <jb(c) = (.<?,, . . . . , .s,- (ej ). However without 
affecting the generality we can assume that if \B\ = 1 the above is satisfied. As 
an illustration we present in Table i a two out of three threshold scheme for 
which the set of keys is K = Zi{+). Observe that m this example <7{2.3}(0 18 a 
proper subset of S'2 x .S3. 

Definition 2. Let B = {A *\D\\- <>iven a random variable k, on K, shares 

*-j are given (by the distributor) with a certain (known) probability distribution. 
If for all random variables k on K , all B £ T \, and all (.<?,-, s,- |B) ) c ((.*), 

probfk = k I s,-, = «i, t Sj (a| = f> it ) = prob(k = k), then the sharing scheme 

is perfect. If VB £ r A : V(.s J , ..... ) 6 ;/z?(C) : V>tr £ A' : 3c G C : g B {c) = 
..... ) and /(c) = k then we call the sharing scheme weakly perfect. 

Definition3. Let A' have a binary operation (so A'(+) is closed) and each 
Si have a binary operation Let (At, K,C f ) be a sharing scheme. If / is a 
homomorphism then we have a homomorphic sharing scheme [3]. If A" and the 
S\ have two binary operations and / is a homomorphism for both operations 
then we have a two-operation-homomorphic sharing scheme. 

Note that Definition 3 implies that in a monotone homomorphic sharing scheme 
C() is closed. 

Definition^ A monotone sharing scheme (f A , A',f\/) is finite if C is finite. 
3 K is a finite non-Abelian group 

We now prove that there is no weakly perfect finite homomorphic sharing scheme 
(except for very particular access structures) when the set of keys K is a finite 
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non-Abelian group. We observe that Benaloh's definition does not require that 
the set of shares Si (which we allow to differ for each participant) have the same 
algebraic structure as K. 

To prove this we will first prove properties for an optimal sharing scheme. 

Definitions. When ( P A . K, C, f) is a sharing scheme, it is optimal if there does 
not exist a (Pa, K, C, /') sharing scheme such that \C'\ < \C\. 

Remark. It is possible that there are many optimal homomorphic threshold 
schemes. 

In this section we will assume that the sharing scheme is finite. We will now 
prove that if each of the 5,- is a not a quasigroup 3 then one can create a 'more 
optimal sharing scheme. 

Lemma 6. In an optimal (weakly) perfect finite monotone homomorphic sharing 
scheme with key space K a finite group, each ,S', and C are quasigroups. 

Proof. Suppose that C'(-) is not a quasigroup. Then there exists a Ci €E C such 
that c.[ ■ C is a proper subset of ('. Let f{c.\ ) — k\. Since K is a finite group 



there exists an integer n such that f(c\) n — k, 1 . Let c\ = ci (c.y ( • - ■ ( r l . r,))) 
and C' = c l (c l l • C). Observe that (" C c t ■ C and that f(c\) — k~K 

We now create a 'more' optimal homomorphic sharing scheme using C'(o). 
We define r. \ ox-> — t\ - (ci -(x : • x?)) for i'i . G C and we use the restriction of 
/ to C". Clearly "o" is closed on C". Because Kb is a function from gs(C) to R, 
for any B E I'a, the restriction of to </#(("") is a function. We now prove that 
the restriction of f B is onto. Choose any k' £ K . Then there is a c G C such that 
f B {c) = k' . Now f B (g B ( Cl -(c'i -c))) = f B (g B (c)). Since fix^x.) = f( Xl -x 2 ), the 
new scheme is a homomorphic sharing scheme. Let .s = (.9^ , . . , t <Jb(S ') 

and B £ P. To prove that the new scheme remains perfect (if it was already), 
observe that 

prob(k = k,s — .si = prob(k = k,s' — s) 

s=3b!''i i" 3B(S\ )•*' 
f \ 



prob(k = k) ■ ^ prob(s' = .$') 



prob(k = k) ■ prob(s = s) 



because the original scheme is perfect. Thus C"(o) is a 'more' optimal scheme 
than C(-), contradicting the fact that C is optimal. □ 

Lemma 7. Consider a finite homomorphic monotone sharing scheme. (Pa, C, 
/) with key space K a finite group. If the codeword space C(-) is a quasigroup 
then there exists a binary operation o such that C(o) has an identity element e 
and the function / remains a homomorphism. Thus each .S' z (o) has an identity. 



In a finite quasigroup 5( ), for each s £ S : s ■ S = S = S ■ s 
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Proof. This follows from [I]. We briefly overview the proof. Let L y be the map- 
ping L y : b — y-b and R, be the mapping R z : a — »■ a • z. Define aob — R7 1 (a) ■ 
L^ib) where a. b £ C. Then C(o) is a quasigroup because C( ) is. Furthermore 
e — y ■ z is an identity element for C{o). Indeed, y ■ z — R z (y) = L y (z), so that, 
cox - Rj l (y-z)-L~\x) ~ R~ l {R z (y))- L~ ] (x) = y-L~ l {x) = L y (L~ i (r)) = x. 
Similarly, x o e = fir^r) • L-^V ■ *) = A^'U) • L~ l (L y {z)) = R7 [ {x) ■ z = 

We now prove that we can choose y and z in such a way that / remains a 
homomorphism. Choose t/,: £ C such that J"(-) -1 * f(y)~ l = 16 A'. Clearly 
for a,b £ C, f(aob) = f(R7 1 (a) ■ £-'(&)) = f(R7 l ('i)) * f(L^(b)) = f(a) * 
f(z)~ l * * f(b) - f(a) * f(b), as can easily be verified. So, this scheme is 

homomorphie and if it is perfect it remains so since the set of codewords is the 
same. □ 

From these lemmas we get the following result. 

Theorem 8. Consider a (weakly) perfect, finite homomorphie monotone sharing 
scheme with key space K , a finite group, for which there exists a B 6 f,\ such 
that B = B'UB", with B 1 . B" £ F A and B' <£ B" B" <£ B' . Then K is Abehan. 

Proof. From Lemma 6 and Lemma 7 it follows that there exists a homomorphie 
(weakly) perfect sharing scheme {I'a, A. C, /') for which C is a quasigroup with 

identity. So we can assume that (i. 1) £ C. Let B = {i\ *\B'\> *'| B'\tI > • • • > 

i\B\)y with B ' = { f i- • ■ • ■ i\B'\) and B" = {i\ B \-]B"\ + u ■ • • -.i\B\}- Since the 
scheme is weakly perfect for each k 1 t A' then there exists a codeword ■"' £ C 
such that f(c') = k\ gR>[c') - (i, .... 1), and for each k" 6 A there exists a 

codeword c" £ C such that /(>") - k" and gn"W) = (1, 1)- Observe that 

g B (c' ■ c") - g B {c" ■ c'). so because B 6 r A we have f(c' ■ c") = f(c" ■ c'). Then, 
since / is a homomorphism, /(>')* f{c") — f(c")* f(c'). Thus A is Abelian (the 
conditions on B are crucial to allow that f(c') is any k' and f(r") is any k"). □ 

An example of an access structure that does not satisfy the above conditions is 
.4 = { 1. 2, :L 4}, r A = V{A)\T A . where 7.., = {0. {2}, {4}, {2,4}}. Ingeneral the 
above condition is not satisfied if the union of any two elements in F A belongs 
to 7 A . 

Corollary 9. If {F A , A, O, f) is a weakly perfect t-oui-of-\A\ finite homomorphie 
threshold scheme and K is a finite non- Abelian group then t — 1. 

Proof. Obvious. □ 



4 Two operation sharing schemes 

Let K — A' U {0} , where A'' is a finite group and 0 £ K \ K' with 0 • x = x ■ 0 = 0 
for all x 6 A'. We call K a finite group with. zero. Let us define the set F A — 
[B £ F A | Vfi' C B : B' £ r A }. A monotone sharing scheme for which {i} 6 F A 

for all i £ A is called trivial (for all practical purposes one can say that in such 
schemes each shareholder knows the key). 
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Theorem 10. A non-trivial finite homomorphic monotone sharing scheme with 
key space. K , a finite group with zero, cannot be weakly perfect. 

Proof. Let {Fa, A", C, f) be a non-trivial finite two-operation-hornomorphic shar- 
ing scheme, Without, loss of generality, we assume for all i £ A that 9{ t }{C) — S,. 

Let B £ F A and \B\ > 1. We first prove that if f(c) = 0, then there exists 
an i £ B such that 9{i}{c) ■ Si ^ S\. Indeed suppose that for all i 6 B that 
9{i}{c) ■ Si = Si. This implies that g B (c) ■ g B (C) - 9b(C). Since f B is a homo- 
morphism f B {g B (c) ■ g B (C)) = 0 * /bObK-')) = !b[9b{C)) = A". So we have a 
contradiction. 

For an optimal finite homomorphic non-trivial sharing scheme we now prove 
that if Si -Si ^ Si then f(c) = (J where .'/{;} (c) = s,-. If /(c) ^ 0, then by Lemma 6 
we can get a 'more' optimal scheme (replacing C by c(c' ■ (')). This implies that 
the scheme is not weakly perfect. □ 

Corollary 11. In any finite two-operatton-homomorphic sharing scheme with 
key space A, a Galois field, for every c £ C and B £ F A . there is a shareholder 
in B whose share uniquely determines the key. (Formally. VJ5 £ F\ : Vc £ (' : 
3i £ B : 3k £ A : prob(k = it j s t = *,-) = i.j 

Proof. Observe that the multiplicative structure of a field is a group with zero. 
When the sharing scheme is trivial, the result is obvious. We now discuss non- 
trivial sharing schemes. It is now sufficient to consider B £ Fa and \B\ > 
1. Denote the addition in (' as while we use in A . From the proof of 
the previous theorem (and because each i £ B can simulate for his share the 
optimization technique 4 of Lemma 6) we see that for any c £ C with key k = 0 
there is a shareholder i in each B £ F A whose share s, uniquely determines the 
key. That is prob(k = 0 | s* = -s.) = 1. We now use this fact. 

Since A is a finite group over addition, for any c £ C there exists a c' £ C 
such that f(c') — -/(r). Then f{c c r ) - 0. By Theorem 10, there exists an 
i £ B such that probfk = 0 i s, = .?,) = 1, where s, = g{ l \(c -r (*'). For any c" 
with 9{i}{c") - g{i}(c.) we must have fie") ~ f{e), since (/{;}(('" * c') — .s, and 
prob(k = 0 j Si = s, ■) — 1. Thus the value of /(c) depends only on i's share. □ 

Observe that Corollary 11 is not restricted to weakly perfect finite homomorphic 
sharing schemes. Moreover a stronger version of this corollary will be given in 
the final paper. 

Corollary 12. Let K be a finite Boolean algebra. In a non-trivial finite mono- 
tone sharing scheme with key space A" which is two-operation-homomorphic (i.e., 
for the "AND"?*") and *OR"( :i + n ) operations) cannot be weakly perfect. 

Proof. Let B £ F A and |S| > 1. Using a similar proof as in Lemma 6 one can 
prove that in an optimal sharing scheme /(c) = 1 implies that for all i £ B: 
9{i}(c) -9{i}{C) = g { i}{C). 

4 We note that for this corollary we are only concerned that the algebraic properties, 
not the security properties, hold during the optimization. 
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Now, if f(c) ^ 1, then there exists an i £ B such that fif{j}(c) • <7{i}(C) 7^ 
3{i}(6') by contradiction. Indeed, if gu}{c.) ■ g\i}(C) — </{j}(C) for all i £ B then 
Ib(9b(c)"- g B (C)) = f(c) ■ K = f B (9B(C)) = A, but if /(c) ■ A' = A.' then one 
can prove that f(c) = i, contradiction. So, it is not weakly perfect. (To prove 
that k ■ K — A implies k — 1, observe that if k ^ 1, there exists a ki £ A' such 
that A'i + k rfc ki and moreover k ■ (k\ + k) — k ■ k\.) □ 

Corollary 13. // the key space K of a weakly perfect t-out-of-\A\ finite, iwo- 
operation-homomorphic threshold scheme is either a Boolean Algebra or a Galois 
field, then t — 1. 

5 Open problems 

This paper demonstrates that finite homomorphic sharing schemes have limita- 
tions. However such schemes have already proved to be useful in several cryp- 
tographic applications [3, 7, 12, 16, 8. 15]. One wonders what more can be done 
with homomorphic sharing schemes. 

Several examples can be constructed using algebraic structures which can 
be made homomorphic. For instance, it is obvious that a homomorphic sharing 
scheme exists for key space K and binary operation defined by 0 * b = a for all 
«. b £ A'. Thus a group structure is not required to make a homomorphic sharing 
scheme. A two-operation-homomorphic sharing scheme can be defined on a key- 
space A'( + ,*) where A'(+) is an Abelian group and the binary operation * 
is defined as a * h = 0 for all a,b £ A' Thus there are rings in which two- 
operation-homomorphic sharing schemes can be made. Though these examples 
are trivial and do not seem to have cryptographic usefulness, they do introduce 
the following open problems: 

1. What other (useful) algebraic, structures have perfect homomorphic sharing 
schemes? 

2. What other algebraic structures have two-operation-homomorphic sharing 
schemes? 

3. What circuit evaluation can be made homomorphic (observe that it is pos- 
sible to evaluate RSA in a homomorphic threshold way [8])? 

4. How close to perfect can homomorphic sharing schemes be made for non- 
Abelian groups 7 

5. Are the share sets groups in an optimal homomorphic sharing scheme 
with key space a finite Abelian group, (so are the ,S',;(-) associative)? 

6 Conclusion 

Homomorphic sharing schemes have been useful in making secret ballot elec- 
tion [3], threshold signature, and threshold authentication [12, 16, 8, 15] schemes. 
This paper discusses the limitations of the concept of homomorphic sharing 
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schemes by demonstrating that they cannot be used with non-interactive eval- 
uation of Boolean circuits. Although, perfect homomorphic threshold exist for 
any Abelian group [9], this result does not extend to other groups. Several open 
problems have also been introduced. 
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An /-Span Generalized Secret Sharing Scheme 



Lein Ham and Hung-Yu Lin 

Computer Science Telecommunications Program 
University of Missouri - Kansas City 
Kansas City, MO 64110 

Abstract. For some secret sharing applications, the secret 
reconstructed is not revealed to the participants, and therefore, 
the secret/shadows can be repeatedly used without having to be 
changed. But for other applications, in which the secret 
reconstructed is revealed to participants, a new secret must be 
chosen and its corresponding shadows must be regenerated and 
then secretly distributed to participants again, in order to 
enforce the same secret sharing policy. This is inefficient 
because of the overhead in the generation and distribution of 
shadows. In this paper, an /-span secret sharing scheme for the 
general sharing policy is proposed to solve the secret/shadows 
regeneration problem by extending the life span of the shadows 
from 1 to /, i. e., the shadows can be repeatedly used for / times 
to generate / different secrets. 

I. Introduction 

A secret sharing scheme is a method of hiding a secret among multiple 
shadows such that the secret can be retrieved by some subsets of these shadows 
but not by the others according to a given secret sharing policy. For example, 
Shamir's well-known (m^i)-threshold scheme [1] realizes the secret sharing 
policy in which any m, or more than m shadows, can reconstruct the secret. 
This sharing policy is far too simple for many applications because, 

E.F. Bnckell (Ed.): Advances in Cryptology - CRYPTO '92, LNCS 740, pp. 558-565, 1993. 
© Springer- Verlag Berlin Heidelberg 1993 
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implicitly, it assumes that every participant has equal privilege to the secret or 
every participant is equally trusted. Complicated sharing policies, in which 
participants have different privileges, can also be realized by other generalized 
secret sharing schemes [2, 3, 4]. One common feature among almost all secret 
sharing schemes is that once the reconstructed secret is exposed, a new secret 
must be chosen and its corresponding shadows must be regenerated and then 
secretly distributed to participants again, in order to enforce the same secret 
sharing policy. From life span aspects of the shadows, these traditional 
schemes are called 1 -span secret sharing schemes. 

Depending on applications, the secret can be reconstructed in a tamper-free 
device without revealing it to the participants. For such applications, the 
secret/shadows can be repeatedly used. But, for other applications, in which the 
secret reconstructed is revealed to participants, a new secret must be chosen and 
its corresponding shadows are then generated in order to enforce the same secret 
sharing policy. Such regeneration process is inefficient because of the overhead 
in the generation and distribution of shadows. 

One previous work which tries to solve the shadow regeneration problem can 
be found in [5], but it deals with only traditional threshold schemes and the 
threshold value is decreased in proportion to the number of different secrets 
which have been revealed. In this paper, an /-span secret sharing scheme for 
the general sharing policy will be proposed to solve the secret/shadows 
regeneration problem by extending the life span of the shadows from 1 to /., 
i. e., the shadows can be repeatedly used for / times to generate / different 
secrets. Section n gives some definitions and Section HI briefly reviews the 
scheme on which the proposed /-span generalized secret sharing scheme is 
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based. The /-span generalized secret sharing scheme and an example are 
included in Section IV. 

II. Definitions 

Suppose a secret key k is to be shared according to a given secret sharing 
policy by a group of m participants U = [uj,ii2, M m )- Each participant 

may be designated with a different privilege. A generalized secret sharing 
scheme is a method of breaking k into m pieces kj, k2,..., k m , with jty 

secretly distributed to a f - such that 

(1) if A £ U is a qualified subset of participants, called positive access 

instance, according to the secret sharing policy, then k can be reconstructed 
from shadows {£,■ | Uj e A) . 

(2) if A £ U is not a qualified subset of participants, called negative access 

instance, according to the secret sharing policy, then k cannot be reconstructed 
from {£j | «/ s A}. 

The set F of all positive access instances is called the positive access structure 
of the secret sharing policy and the set N of all negative access instances is 
called the negative access structure of the secret sharing policy. Suppose the 
positive access structure of a given sharing policy is F. The corresponding 
negative access structure is N = 2^ - F. 

HI. Lin and Ham's Generalized Secret Sharing Scheme 

The dealer fust secretly selects two large primes, p and q, and publishes their 
product n=p*q. Then it assigns a distinct prime pj to each negative access 

instance Nj of!\l(N) and computes the tag f/ associated with participant u { - 

as 

u = n P j, 

where TTL(jV) is the maximum set of the negative access structure. 
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The shadows assigned to the participants are computed as 

ki = k l i mod n, for i = 1, 2,...., m y where k is the secret. 
Each shadow k- t is then secretly distributed to participant u,-. 
The dealer also publishes one pair of check values, t c and k c where 

t c = n pj. 

N/« TTI(JV) 

and k c = k l c (mod n) for users' verification of the correctness of their 
received shadows. 

The secret k can be reconstructed by any positive access instance according to 
the THEOREM 1 in [4]: 

THEOREM 1. Given kj, k 2i ej, and e 2 such that kj =k e l mod n and 
k 2 =k e 2 mod n,k? mod/i can be easily computed if gcd(<?j, e 2 ) = r. 

IV. The /-Span Generalized Secret Sharing Scheme 

In this /-span secret sharing scheme, the generation of tags associated with 
participants is the same as mentioned above. However, since there are multiple 
secrets corresponding to the same set of shadows, the choice of the secrets and 
the generation of shadows need to be modified. 

First, the secret, k, is replaced by a sequence of secrets, j.-'s, where 

sj = k c mod n, for 7=1, 2, /. 

Note that each secret should be used only once to enforce the secret sharing 
policy and participants should reconstruct the secrets, sj, s 2 , —Ji, accordingly 

in order to obtain the maximum life span of k. 
Then the shadows assigned to participants are computed as 
ki = k i mod n, for i = 1, 2,...., m. 
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Now suppose a positive access instance A. wants to reconstruct secret sj. 
Each participant u; • A, computes 
kij = (ki )( V^' ~ j mod n 

=(k'i VV'^ V mod n 

=(jfc) f c W modn 

=(k l c yi modn 

=(Sj) ttJ mod n, 

and then submits it, instead of his shadow, jfc,-. 

THEOREM 2. Any positive access instance A. can reconstruct sp for j = 1, 
2 /. 

<Proof> The greatest common divisor of tfs, for u,- s yl, is 1, so 5y can be 
derived from i^'s by Theorem 1. 

Lemma 1. ^-'s and 4,-j's, i = 1 to /«, can be derived from s r ,ifj<r<L 

t H t l ~ r 

<proof> Since r-j > 0,sj = Jrc mod n, s r = &c mod n, and modular 
exponentiation is an one-way function, we can derive Sj from s r as 

= (J r ) c mod n. 
Similarly, we can derive jfc,j 's from s r . 

Lemma 2. sfs and £,-j's, i = i to cannot be derived with knowledge of 
s r , iS r < j < I 

<proof> From RSA assumption in [4], i.e., the modular exponentiation is an 
one-way function. 

THEOREM 3- No negative access instance can derives sj unless some s r , 
with j <r, have been revealed. 
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<proof> This theorem can be proved from Lemma 1, Lemma 2, and 
THEOREM 5 in [4]. 

Here we give an example to illustrate our idea. 

EXAMPLE. Suppose there are four members in the system, Alice, Bob, 
Cathy, and David. The secret sharing policy is that either Alice and Bob 
working together, or Bob and Cathy working together, or Alice, Cathy, and 
David working together can reconstruct the secret. The positive access 
structure of this sharing policy can be represented as 

F = (AB ) U (BC ) U (ACD ). 
The negative access structure is therefore the complement of the positive 
access structure and can be represented as 

N = (AB'C'D' ) U (AB'C'D ) U (AB'CD' ) U (A'BCV ) U (A'BC'D ) 
U (A'B'CV) U (A'B'C'D ) U {A'B'CD ) U (A'B'CD'). 
By LEMMA 2-5 in reference [4], we can derive 

m(N) = < ni(m(5'C')u mcflmu n(A'B')u m(A'c'» 

= m(5'C) U %,(B'D') U n(A'B') U m(A'C) 
= ({Alice, David} (Alice, Cathy) (Cathy, David) (Bob, David}}. 
This maximum set of the negative access structure tells that the secret key 
cannot be reconstructed either by Alice and David alone, or by Alice and 
Cathy alone, or by Cathy and David alone, or by Bob and David alone. 
Now, the trusted key center selects two secret large primes, p and q, and 
publishes their product n= p*q. Then it selects Pi,P2>P3> P4 as the 

public primes. These prime numbers can be chosen as small as possible. A 

secret key, k, is chosen from [2, n-1]. According to this /-span generalized 

secret sharing scheme, the secret keys to be shared are chosen as 
t H 

S;= Ice mod n, for j - 1 , 2 , /, where t c = p jp2P3P4> 
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and the tags and the corresponding shadows associated with users are computed 
as 

1 -Alice = PlP2 • k Alice = & lP2 mod n , 
l Bob =P4> k Bob =k ? 4 mod /i, 

n l n 1 

l Cathy = P2P3 - ^Cathy = * ^2 « mod n , and 

III 

'David = P1P3P4 . kDavid = kPl Pl H mod n ' 

Now suppose Alice and Bob, which combination is a positive access instance, 
want to reconstruct sj. Alice will present her shadow as 

kAIicej= {k^J-W-'^lWpJ-W'' mod, 
and Bob will present his shadow as 

hobj= {k Bob )Pl l ' j P2' } P3 l ' j =kPl l ' j P2 l - j P3 l - J P4 mod,. 

By Euclid algorithm, since 

gcdip/p 2 W'h 4 l '^Pl l ' j P2 l ' i P3 l ' i P4 l )=Pl l ' j P2' j P3 l ' i P4 l ' i - 
an integer pair (a, b) can be found such that 

a * ( Pl l p 2 l P3 l ' i P4 l ' j ) + b* (pfW'W'W) =Pl l ' j P2' j P3 H P4 l ' j - 
Therefore, the secret sj can be reconstructed by computing 

( k AliceJ ) a *( k Bob J ) b mod n 

= (k)Pl l ' J P2~ J P3 l ' J P4~ J mod* 



V. Conclusion 

An /-span generalized secret sharing scheme is proposed in this paper. It 
allows secrets to be shared in a more efficient way in which same set of 
shadows can be used to reconstruct / different secrets. For applications in 
which the reconstructed secret must be revealed and the same secret sharing 
policy must still be enforced, it alleviates the overhead in the generation and 
distribution of shadows. 
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1 Introduction 

The purpose of this paper is to show that there exist DES-like iterated ciphers, 
which are provably resistant against differential attacks. The main result on the 
security of a DES-like cipher with independent round keys is Theorem 1, which 
gives an upper bound to the probability of r-round differentials, as denned in [3] 
and this upper bound depends only on the round function of the iterated cipher. 
Moreover, it is shown that there exist functions such that the probabilities of 
differentials are less than or equal to 2 2 ~", where n is the length of the plaintext 
block. We also show a prototype of an iterated block cipher, which is compatible 
with DES and has proven security against differential attacks. 

2 Differential Cryptanalysis of DES-like iterated 
ciphers 

A DES-like cipher is a block cipher based on iterating a function, called F, sev- 
eral times. Each iteration is called a round. The input to each round is divided 
into two halves. The right half is fed into F together with a round key derived 
from a keyschedule algorithm. The output of F is added (modulo 2) to the left 
half of the input and the two halves are swapped except for the last round. The 
plaintext is the input to the first round and the ciphertext is the output of the 
last round. 

Notation: Let the block size of the cipher be 2n and the size of the round key 
be m, m > n. Let f : GF(2) m — GF(2) n and E : GF{2) n -* GF(2) m , an 
afflne expansion mapping. Let L,-, FU be the left and right halves of the in- 
put to the i'th round. Then L i+1 — Ri and = i(E(Ri) © Ki) ® L { and 
T{R i ,K i ) = i(E{R i )®K i ). 

In [1] Biham and Shamir introduced differential cryptanalysis of DES-like ci- 
phers. In their attacks they make use of characteristics, which describe the be- 
haviour of input and output differences for some number of consecutive rounds. 
The probability of a one-round characteristic is the conditional probability that 
given a certain difference in the inputs to the round we get a certain difference 
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in the outputs of that round. Assume that in every round the inputs E(R) © K 
to f are independent and random. This assumption is satisfied if the round keys 
are uniformly random and independent. Then the probability of an r-round 
characteristic is obtained by multiplying the probabilities of the r one-round 
characteristics. 

Lai and Massey [3] observed that for the success of differential cryptanalysis it is 
not necessary to fix the values of input and output differences for the intermedi- 
ate rounds in a characteristic. They introduced the notion of differentials. The 
probability of an r-round differential is the conditional probability that given an 
input difference at the first round, the output difference at the r'th round will 
be some fixed value. Note that the probability of an r-round differential with 
input difference A and output difference B is the sum of the probabilities of 
all r-round characteristics with input difference A and output difference B. For 
r < 2 the probabilities for a differential and for the corresponding characteristic 
are equal, but in general the probabilities for differentials will be higher. 
In order to make a successful attack on a DES-like iterated cipher by differen- 
tial cryptanalysis the existence of good characteristics is sufficient. On the other 
hand to prove security against differential attacks for DES-like iterated ciphers 
we must ensure that there is no differential with a probability high enough to 
enable successful attacks. 

The difference of two inputs E{R)®K and E(R*)®K tof is E(R)®E(R'). Since 
we assume E to be affine, the difference of two inputs depends only on the differ- 
ence R®R* . Hence for DES-like ciphers the round probabilities of characteristics 
only depend on the intrinsic properties off. Given f : GF(2) m — ► GF(2) n denote 

Pmax = 2- m max ? max a ^#{X G GF(2) m \i(X © a) © f (X) = 0} 

That is, Pmax is the highest probability for a non trivial one-round characteristic 
or differential. 

Theorem 1 It is assumed that m a DES-like cipher with f : GF{2) m -* GF{2) n 
the inputs to i at each round are independent and uniformly random. Then the 
probability of an r-round differential, r > 4, is less than or equal to 2p£, a3 .. 

Proof: We shall first give the proof for r = 4. Let ol and (xr be the left and right 
halves of the input difference at the first round and 0l and 0r be corresponding 
halves of the output difference at the last round. Either 0l ^ 0 or 0r ^ 0 or 
both. We shall give the proof in the case 0i = 0, 0r £ 0, the other two cases 
are similar. We denote by AR(i) the right input differences to the i'th round, 
i = 2, 3, 4. Let 0 L = Q and 0 R £ 0. Then AR(i) = 0 L - 0 and AR(Z) = 0 R .We 
separate between two cases: cxr ^ 0r and a# = 0r. 

1. or ^ 0r. Then AR(2) £ 0. For any given AR(2) ^ 0 there is exactly one 
way of getting 0i,0 R from the input differences ctR and AR(2) at the second 
round, and the probability is less than or equal to p^ax- Hence the probability 
of the four round differential is less than or equal to pj, 01 . 

2. afi = 0 R . If AR(2) — 0 it follows that the output difference from F at the 
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third round z!F(i?(3)) = 0, which happens with probability less than or equal 
to p m ax, because AR(3) = j3 R ^ 0. Since a R ^ 0 we have 

Prob(AR{2) = Q\a L ,a R )< 

If AR(2) / 0 the probability that AF(R(Z)) = AR(2) is less than or equal to 
Pmax- We also need to have AF(R(2)) = 0, which is true with probability less 
than or equal to p ma . x - So we obtain 

Prob(fi L ,{3 R \a L ,a R ) 

= Prob(AR(2)\a L ,a R )Prob((3 L ,p R \a L ,a R ,AR(2)) 

AR(2) 

= Prob(AR(2) = 0 | ai,a R ) Prob{p L ,p R | a L , a R , AR(2) = 0) 
+ £ Prob(AR(2)\a L ,a R )Prob(0 L J R \a L ,a R> AR(2)) 

AR(2)^0 

Pmax 

< 2pL, 
Let now r > 4. Then 

Prob(l3 L ,p R \a L ,a R ) 

]T [Prob{AL{r-2),AR(r-3)\a L ,a R ) ■ 

4L(r-3),ifl(r-3) 

Prob(,d L , 0 R | a L] a R , AL(r - 3), AR(r - 3))] 

Since we assumed that the inputs to f are independent and uniformly random it 
follows from the proof for r = 4 that 

Prob(p L ,(3 R | a L ,a R , AL(r - 3), AR(r - 3)) = 

Prob(p L ,f3 R | AL(r - 3), AR(r - 3)) < 2p 2 max 

Thus Prob(J3 L , {3 R | a L , o H ) < 2p\ ax . □ 
If f is a permutation, then in every characteristic between two zero rounds there 
has to be at least two nonzero rounds and the following result can be proved. 

Theorem 2 It is assumed that the function f in a DES-like cipher is a per- 
mutation and that the inputs to f at each round are independent and uniformly 
random. Then the probability of an r -round differential for r > 3 is less than or 
equal to p 2 max . 

Proof: We give the proof for r = 3. The general case can then be proved like in 
the preceding theorem. Again we separate between three cases and use the same 
notation as before. 

1. 0l = 0, Pr 0- In this case the third round of each characteristic is a zero- 
round. At the second round the input difference AR(2) = /3 R ^ 0 results in 
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an output difference a ^ 0 with probability less than or equal to p max . At 
the first round we get the output difference ct£ © {3 R ^ 0 with probability 
less than or equal to p max from the input difference AR(l) = a R ^ 0. Hence 
Prob{j3 L ,(3 R ] a L , a R ) < p 2 max . 

2. 0l # 0i /?Jt = 0- Now the output difference at the third round equals AR{2) 
and it is different from zero. Given AR{2) ■£ 0 the probability of the third 
round is less than or equal to p max and the same holds for the second round. 
Consequently 

Prob{(3 L ,l3 R \a L ,a R ) 

= Yl Prob(AR(2)\a L> a R )Prob{p L ,l3 R \a L ,a R> AR(2)) 

< £ Prob(AR{2)\a L ,a R )-p 2 max < 

AR(2) 

3- Pl j 1 Q. Ph. # 0- Assume first that AR(2) = 0. Then for every characteristic 
the probability of the third round is less than or equal to p max , the probability 
of the second round is one and the probability of the first round is less than or 
equal to p max . Secondly, given AR(2) ^ 0, the probability of the third round 
is less than or equal to p max an d the same is true for the second round. Hence 
Prob(pL,0 R | (XL, Or) < Pmax a ^ s0 m ^is case - 3 



3 Almost perfect nonlinear permutations 

For a mapping f : GF(2) m GF(2) n the lower bound for p max is 2~ n . Map- 
pings attaining this lower bound were investigated in [7], where they are called 
perfect nonlinear generalizing the definition of perfect nonlinearity given for 
Boolean functions in [6]. It was shown in [7] that perfect nonlinear mappings 
from GF(2) m -+ GF{2) n only exist for m even and m > 2n. Hence they can be 
adapted for use in DES-like ciphers only with expansion mappings that double 
the block length. 

If the round function of a DES-like cipher does not involve any expansion, i.e. in 
the case when f : GF(2) m —> GF(2) n is a permutation, the trivial lower bound 
for p max is 2 1_n , since then the difference 

f(x + w) +f(x) 

obtains half of the values in GF(2) n twice and never the other half of the values. 
We shall call the permutations with p max = 2 1- " almosi perfect nonlinear. The 
purpose of this section is to show that such permutations exist. 
Assume that m = nd, where rn,n,d are all odd integers. In [8] permutations f 
in GF(2 m ) = GF(2 d ) n were constructed to satisfy the following property: 

(P) Every nonzero linear combination of the components of f is a balanced 
quadratic form x' Cx in n indeterminates over GF(2 d ) with rank(C + C*) = 
n-l. 
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Indeed the following theorem holds. 

Theorem 3 Lett: GF(2 d ) n — GF(2 d ) n be a permutation satisfying (P). Then 

n _ od(l-n) 
Fmax — * 

For the sake of simplicity we shall give the proof in the case where d = 1 and 
m — n. 

Lemma 1 A quadratic form /(x) = x^Ax in n indeterminates over GF(2) is 
balanced if and only »//(w) ^ 0 for the linear structure w of f. 

Recall that a linear structure w of / : F" — + F is a nonzero vector in F" such that 
/(x + w) + /(x) is constant. It was also shown in [8] that a quadratic form 
f(x) = x t Ax in n indeterminates over GF(2) with rank(A + A') = n — 1 has 
exactly one linear structure. 
Proof of Lemma 1: Let 

<f{xi, ,x n ) - x\x 2 + .... + z„_ 2 z„-i + 6x n - x*Cx 

8 — 0 or 1, be the quadratic forms to which all quadratic forms /(x) = x*Ax 
with rank(A + A*) = n — 1 are equivalent (see [4]). It means that there is a 
linear transformation T of coordinates such that /(x) = y(Tx). Then w is a 

linear structure of / if and only if Tw = (0, 0, 0, 1). Then / is balanced if 

and only if ip is balanced which is true if and only if 6 = 1. But 6 = 1 if and only 
if 

/(w) = p(Tw) = ¥ >(0,...,0,l)=l. 

□ 

Lemma 2 Let w 6 GF{2) n be not the linear structure of f : GF(2) n -* 
GF(2), /(x) = x* Ax with rank(A + A*) = n - 1. Then 

x >-> /(x + w) + /(x) 

is balanced. 

Proof: It sufficies to show that 

<p(x + w) + <p(x) 
is balanced for every w ^ (0, 0, 1). But this is true since 
<p(x + w) + <p(x) - 

(Xl + Wi)(x 2 + W 2 ) + .... + (X„_2 + W n -2)(x n -l + W n -i) + X n + W n + 
XlX 2 + .... + X n -2X n -1. + X n . 

is a non-constant affine or linear function for every w ^ (0, 0, 1). O 

Lemma 3 Let f : GF(2) n -> GF(2) n be 0 permutation with property (P). Then 
every nonzero vector w E GF(2) n is a linear structure of a nonzero linear 
combination of the components of f. 
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Proof: It sufficies to show that two different linear combinations of the compo- 
nents of f have different linear structures. Let Ui and 112 be nonzero vectors in 
GF(2) n and let wi and W2 be the linear structures of uif and 112 f , respectively. 
If wi = W2 = w it follows that w is also the linear structure of (ui + 112) ■ f • 
Since ui ■ f and U2 • f are balanced it follows from Lemma 1 that 

ui • f (w) = U2 • f (w) — 1 

and consequently 

(ui+u 2 ).f(w) = 0. 

If ui ^ U2, then (ui + U2) • f is balanced. Thus by Lemma 1, m = U2. □ 
Now Theorem 3 for d — 1 is a consequence of the following 

Theorem 4 Let f = (fuh, /„): GF(2) n -► GF{2) n be a permutation that 

satisfies (P). Then for every fixed nonzero difference w £ GF(2) n of the inputs 
to f, the differences of the outputs lie in an affine hyperplane of GF(2)" and 
are uniformly distributed there. 

Proof: Let w be a nonzero input difference for f. Then by Lemma 3 there is 
v 6 GF(2) n , v^O, such that w is the linear structure of v-f and by Lemma 1 

v • f (x + w) + v • f (x) = 1 

for all x € GF{1) n . 

Let ui, ....,u n _i be linearly independent vectors in GF(2) n such that 

v £ span{m, ....,u„_i} 

Then by Lemma 2 for every u G span{ux, u„_i} the function 

x^u - f (x + w) + u • f (x) 

is balanced, which means (see [4]) that for every (61, ,&n-i) £ GF{2) n ~ 1 the 

system of equations 

u,' ■ f (x + w) + u< -f(x) = bi, i = 1 ,n- 1, 

has 2 solutions x 6 GF{2) n . Hence the system of n equations : 

(2) Ui ■ f (x + w) + u,- • f (x) = bi , i = 1, ..... n - 1, 
v • f (x + w) + v ■ f (x) = 6 

has 2 solutions if b = 1 and no solutions if 6 = 0. Every system of n equations 

fi(x + w) + /<(x) = a,-, i = 1,2, ....,n. 

is a linear transformation of (2), from which the claim follows. □ 
By a similar argumentation one can prove the following generalization of Theo- 
rem 3. 
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Theorem 5 Let f be a permutation in GF(2 d ) n , d and n odd, with property (P) 
and lei fi, /„ be the components of( with respect to some arbitrary fixed basis 
overGF(2 d ). Let I < n and set h = (/i,/ 2 , ..-.,/()• Then p mo * = 2<*< 1 -') /orh. 

From the results in Section 2 we now obtain 

Theorem 6 Assume that in a DES-like cipher the function f is a mapping from 
GF{2) m to GF(2) n , m>n, obtained from a permutation in GF(2) n with (P) 
by discarding m — n output bits. Then p m ax — 2 1- " for f. Moreover, if m > n, 
then the probability of every r-round differential, r > 4, is less than or equal to 
2 3-2n ; assuming thai the inputs to f are uniformly random and independent at 
each round. Ifm = n, the probability of every r-round differential, r > 3, is less 
than or equal to 2 2_2n . 



4 Examples of permutations with property (P) 

Pieprzyk [9] observed that the permutations f(x) = x 2 *" 1 " 1 in GF(2 n ) with 
gcd(k,n) = 1, 1 < k < n and n odd are at a large distance from the linear 
mappings. We shall show that these permutations have property (P). 
Let ai, q„ be a basis in GF(2") over GF{2) and ....,/?„ be its dual basis. 
Let x = YH-xXiai, x { £ GF(2). Then the i'th component /i(x) of f (x) with 
respect to the basis ot\ a n is 

/,(x)=rr(/?,x 2k+1 ) 

= Tr{d t {j2x i a j ){Y J X l a l f) 



3 = 1 



1=1 



n n 

= ^^Tr(7 1 a i ( 7j a,) 2 )x j x l 
j=l 1=1 

where 7i £ GF(2 n ) is such that = ft, i = 1, 2, n. 

Now it is straightforward to check that Tr{'aa ] {^iai)' 1 ) is the jVth. entry in the 
matrix Ai = B-R*B, where 



(7iOi) 2 {holt) 2 .... (7iQ n ) 2 

B< = 

V(7.«i) 2 " _i (7,-a 2 ) 2 *- 1 ....( 7 ,-«n) 2n - i y 
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is a n x n regular matrix over GF(2") and 



/0 1 0 ....o\ 

0 0 1 ....0 



R = 



0 0 0 .... 1 

Vi o o ....o/ 

is the cyclic shift for which ranfc(R i + (R fc )') = n — 1 if gcd(k, n) = 1. Hence 

/«(x) = x'A.x 



and 

rank{Ai + A<) = ranJfc(B|(R* + (R i )')Bi) = rank{R k + (R fc )') = n - 1 

over GF(2 n ). Thus ran/fc(A; + A') = n—l also over GF(2), since the rank does 
not decrease when going to a subneld and it cannot be n. By the linearity of 
the trace function the same holds for every nonzero linear combination of the 
components fa of f . Moreover, since f is a permutation, they are all balanced, 
which completes the proof of property (P) for f. 

Matsumoto and Imai proposed in [51 a public key cryptosystem C* , which is 
based on power polynomials x 2 +1 . If the round function of an iterated DES- 
like cipher of block size 64 makes use of the mapping x 2 +1 as proposed below 
in Section 5, the description of the round function for efficient implementation 
would be less than the minimum size of the public key for C* cryptosystem. 



5 A prototype of a DES-like cipher for encryption 

Let g(x) = x 3 in GF(2 37 ). There are several efficient ways of implementing 
this power polynomial and each of them suggest a choice of a basis in GF(2 37 ). 
Let us fix a basis and discard five output coordinates. Then we have a function 
f : GF(2) 37 -> GF(2) 32 . The 64-bit plaintext block is divided into two 32-bit 
halves L and R. The plaintext expansion is an affme mapping E : GF(2) 32 —* 
GF(2) 37 . Each round take a 32 bit input and a 37 bit key. The round function 
is L\\R ^R\\L® f(E(R) © K). 

In [2] Biham and Shamir introduced an improved differential attack on 16-round 
DES. This means, that in general for an r-round DES-like cipher the existence 
of an (r - 2)-round differential with a too high probability may enable a success- 
ful differential attack. From Theorem 6 we have that every four and five round 
differential of this block cipher has probability less than or equal to 2" 61 . There- 
fore we suggest at least six rounds for the block cipher. All round keys should be 
independent, therefore we need at least 222 key bits. This is equivalent to four 
DES keys, where all parity bits plus two other bits are discarded. 
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Content- Addressable Search Engines and DES-like 

Systems 
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Abstract. A very simple parallel architecture using a modified version of content- 
addressable memory (CAM) can be used to cheaply and efficiently encipher and de- 
cipher data with DES-like systems. This paper will describe how to implement DES 
on these modified content-addressable memories at speeds approaching some of the 
better specialized hardware. This implementation is often much more attractive for 
system designers because the CAM can be reprogrammed to encrypt the data with 
other DES-like systems such as Khufu or perform system tasks like data compression 
or graphics. 

The CAM memory architecture is also easily extendable to build a large scale engine 
for exhaustively searching the entire keyspace. This paper estimates that it will be 
possible to build a machine to test 2 55 keys of DES in one day for $30 million. This 
design is much less hypothetical than some of the others, in the literature because it is 
based upon hardware that will be available off-the-shelf in the late end of 1992. The 
architecture of this key search machine is much more attractive to an attacker because 
it is easily reprogrammable to handle modified DES-like algorithms such as the UNIX 
password system or Khufu. 

The original DES system was designed to be easily implemented in hardware [NBS77] 
and the current silicon manifestations of the cipher use modern processor design techniques 
to encipher and decipher information at about 1 to 30 megabits per second. Implementations 
of DES in software for standard CPUs, however, are markedly slower than specialized chips 
because many of the operations involved in DES are bit-level manipulations. As a result, many 
of the DES-like systems such as Merkle's Khufu [Mer90] were designed as replacements that 
could be easily implemented on conventional hardware. 

There is one class of general architecture, however, that implements bit-level operations. 
The machines like the CM-1, CM-2 and CM-200 from Thinking Machines Corporation and 
the Maspar machine all have thousands of one-bit processors. The designers intended that a 
large number of processors would compensate for the deficencies of the individual nodes. 

Another example of this small architecture is now emerging from the labs of memory 
designers who are trying to build sophisticated content addressable memory (CAM). The 
individual processors of these machines are even weaker than the ones of the CM-1, but they 
can be packed very densely on a chip. The tiny processors have only a fraction of the memory 
of a CM-1 (42 bits versus thousands) and only a one dimensional interconnection network 
(vs. 12), but this is sufficient to implement DES. Most importantly, these restrictions allow 
a packing density (1024 processors per chip) that is significantly higher at a cheap price. 
(S30-S100 per chip) 

Implementing the cipher on generalized parallel architectures like the CAM have one main 
advantage- cost. Many computer designers often find that the speed of a specialized DES 
chip is often not worth the price. Generalized, content-addressable machines, however, have 
many other applications and this makes them a good compromise for the system designer. 
The design presented here can be easily reprogrammed in software to encrypt with DES or 
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any DES-like variant like Khufu. The hardware can also be used do data compression, data 
searches or even many different graphics operations. 

This paper will describe how to implement the DES algorithm on this architecture and 
produce results that are on par with the middle range of the specialized hardware. The 
main contribution is not extremely fast encryption speeds. It is very fast speed coupled with 
software-level flexibility. Many other papers have offered flexible hardware designs [VHVM88, 
FMP85] that can be easily reworked to handle variants of DES. but none offer the flexibility 
of this system. Verbauwhede et al. [VHVM88] requires new silicon to be fabricated in all 
cases and the designs of Falfield et al. [FMP85] run internal microcode that can be easily 
reprogrammed to implement other slight variants of DES such as cipher-block chaining. 
However, new algorithms like Khufu, however, would require a new micro-code instruction 
set. The flexibility of this CAM based design is quite attractive to both the system designer 
and the brute-force attacker because it allows the hardware to be used for different purposes 
and different algorithms. 

1 Content-Addressable Memory Machines 

Standard memory maps an address to a value. Unfortunately, there are many applications 
when an algorithm needs to know which memory location holds a particular value. The 
only recourse is to search all the memory to find the value in question. Content-addressable 
memory is a hardware solution to this problem that will invert the search and provide the 
address holding a value in a single operation. This technique has been well-researched over 
the years and the book by Kohonen [Koh87] notes many approaches and summarizes some 
of the more salient aspects of this research. Several companies including AMD are making 
basic content-addressable memory modules. 

Recently teams at Syracuse University (some publications include [01d86, OWX87, OSB87]), 
MIT and Cornell ([Bri90, WS89. Zip90]) have developed more sophicated and powerful im- 
plementations in silicon. These implementations allow the programmer to chain the result of 
several searches together in a simple fashion so that larger data structures and more compli- 
cated searches can be performed in hardware. Some of this hardware was originally intended 
to speed up logic programming, but many people have found surprising and interesting appli- 
cations for the simple hardware. Oldfield and his team at Syracuse, for instance, are currently 
working on compressing data. 

A company, Coherent Research Incorporated of Syracuse. New York, is building sophisti- 
cated content-addressable memory chips called the Coherent Processor for widespread use. 
This paper will use their chip as an example because it is commercially available, but there 
is no reason why the algorithms cannot be modified slightly for use on similar chips. 

At the basic level, the Coherent Processor is a large, single dimensional array of very 
simple parallel processors. Each processor has 42 bits of memory ( W,- [0] . . . W;[41], the i 
denotes the processor number) and three one-bit registers (/Z 2 , R 2 and R3). It also has a 
processing unit that can execute instructions on the registers, transfer data between the 
registers and the memory, communicate with the two neighboring processors or match a 
value on the internal bus. The instructions are simple operations that read the three register 
bits of memory and store the result in one of the three. The match instructions can be used 
to simultaneously compare one 42-bit value against the entire array of processors. If there is 
a match, then the appropriate value is placed in a register. 

The following table shows the basic Coherent Processor instructions and the number of 
clock cycles used to complete them. 

1. MATCH: Simultaneously compare the 42 general bits at each processor with the values 
on a bus and store the result of this match in Ri. This is used to look up items quickly. 
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The match routine can include wild-card matches for individual bits so it is possible to 
match for strings of bits like "0000******11*****" (a "*" matches both a "0" and a "1"). 
If you want to move the value of bit W{[2] into R3, then you would "match" a pattern 
with 1 in bit Wi[2] and wild-card matches specified for the rest and store the result in R3. 
If the value of bit Wi[2] was 1 in a particular word, then the match would be successful 
and a 1 would be stored in R3. If a zero was in bit W;[2], then the match would be 
unsuccessful and a zero would be stored. The values of the other columns would not be 
affected. Cost: 4 cycles. 

2. CALC: Calculate a three-bit function of the three registers and store the result in a third 
register. Cost: 2 cycles. 

3. READ: Take the result of a selected word and place it on the bus. This operation usually 
follows a MATCH operation. Cost : 3 cycles. 

4. WRITE: Move the result from the bus into the selected word(s). Cost : 2 cycles. 

5. SHIFT: The first registers of each word are interconnected. They can shift the bit in 
their register to adjacent words in one step. Cost: 2 cycles. 

6. WRITECOL UMN: Moves a bit from a register into one of the 42 bits of memory. Cost : 
2 cycles. 

These commands can be strung together to manipulate data in simple and straight- 
forward methods. 

2 Implementing Plain DES 

There are three main operations involved in encrypting a block of 64 bits with the basic 
mode of the Data Encryption Standard known as the Electronic Code Book (ECB). They 
are 1) permuting the bits. 2) passing a 32-bit block through an s-box and 3) permuting the 
key structure. Each of these steps is easy to program on the Coherent Processor , in a large 
part because the architecture is so limited. Several features of the instruction set, however, 
make implementing the algorithm very easy. 

Let the plaintext blocks of data be denoted, Bi,...,B„ and the individual bits of block 
Bi be {£,[0] . . .Si [63]}. The key is K and the individual bits are A'[0] . . . A' [55]. 

There are sixteen rounds of encryption and the key scheduling algorithm chooses a 48-bit 
subset of key bits to be used on each round. Let A'W[0] . ■ ■ A' l ')[47] be the 48 bits used in 
round /. Each block of 64 bits is broken into two 32-bit halves (called B L and Br) and in each 
round the value of one of the halves is mixed with a subset of the key bits, passed through 
the s-box and then mixed with the right 32-bit half. More precisely, in each round: 

Bl -B L ®f{E{B R )®KW). 

("®"=XOR) Then B L and Br are exchanged. / is the s-box function that takes 48 bits and 
returns 32 and the E{) function is an "expansion'' function that maps 32 bits into 48 bits so 
it can be combined with the 48 bits of key. Some bits of the input to E are used more than 
others. 

The data to be encrypted is broken into 64-bit blocks and each block is stored in 32-bit 
halves in two adjacent 42 bit words in the array, Wi and Wi + ^. 

2.1 Permuting the Bits 

At the beginning and the end of the encryption process, the 64 bits in the block are passed 
through a bit-wise permutation. This step is often considered the slowest part of many 
software implementations for general purpose machines and many people believe that it was 
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included to slow down software implementations and force general CPUs to move bits one 
by one. The Coherent Processor must also move each bit one at a time, but at least this is 
the best that it can do. In practice, the large number of parallel processors makes up for the 
weakness. 

Let the permutation be written as a set of cycles: W,[po] — <■ W)[pi] —»■■■■ —•• W,-[p,-] - ' 
Wj[po]- There are 64 bits to be exchanged, but they do not move in one cycle. The process can 
be accomplished by stringing together a chain of bit moving commands. When the bits to be 
exchanged are on different words, then the CAM must also execute a bit-passing command 
to swap the bit to the adjacent word. The work can be summarized in pseudo-code: 

Move Wi [po] into a bit . 
for k:=l to 63 do 

Move Wi[pi] into a bit. 

Move Wi[pjb-i] into its destination. 

If Wi[p*:] is on the wrong word, 
then pass it to the correct one. 
Move W,-[ps3] into W,-[po] . 

There are only 32 bits that need to be shifted between words. It is possible to do this 
quickly. The next section which computes the values of the s-boxes is much more time in- 
tensive. The cost: 129 MATCH and WRITECOLUMN instructions, 32 SHIFT instructions. 
About 580 cycles. 

2.2 Computing the S-boxes 

The s-box are responsible for providing the non-linear mixing of the bits that is necessary to 
provide adequate security. At the highest level, the s-box is a function that maps 32 bits to 
32 other bits. The s-boxes used in DES are, though, much simpler and they can be described 
as eight functions that take 6 out of the 32 bits and return four. Some bits are used more 
than others. These eight s-boxes can be further simplified into 32 functions that map six bits 
to one bit and this is the best level of abstraction to use when programming the Coherent 
Processor . 

Meyer and Matyas [MM82] describe the design of the s-boxes in terms of minterms, which 
are roughly the same as clauses of boolean variables. An equation describing output of one 
bit of an s-box might look something like this: 

Bi [1] ■ -,Bi [2] • Bi [3] ■ B { [4] + B, ■ [1] ■ -B; [5] • -5, [6] + 5, [2] • B, [5] . ( 1 ) 

("•"=boolean and, "+"=boolean or, "-^boolean not.) There are three minterms in the 
example and it is generally believed that the number of minterms in a minimal expression 
is one measure the complexity of the s-box. The recent papers by Biham and Shamir [BS91] 
and others , show that there are additional criterion that are more important. Meyer and 
Matyas note that there are 52 and 53 minterms in the description of each of the 8 s-boxes. 

These minterm descriptions of the s-boxes can be directly converted into operations for 
the Coherent Processor . Each clause of variables to be ANDed together can be computed 
with a MATCH equation with appropriate set of ones for the variables in the clause, zeros 
for the negated variables in the clause and wildcards for the unrepresented variables. The 
expression from equation 1 can be encoded: 
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MATCH "1011 ***...* **" — R t 
CALOR\ — ► R-i 

MATCH"! * * * 00 * * ... * **" — Ri 
CALCRi ■ R2 — > Ri 
MATCH" * 1 * *1 * * ... * **" — R x 
CALCRi -R 2 ^Ri 

(2) 

This takes 6 cycles per minterm. At 53 minterms per s-box and 8 s-boxes per encryption 
round, this takes 2544 cycles per encryption round to calculate the values of the bits. It takes 
one SHIFT, one MATCH, one CALC and one COLUMN WRITE to XOR each of the 32 
bits into the adjacent word. That is an additional 384 cycles for 2928 per encryption round. 
There are 16 rounds in DES, the permutations take 580 cycles and the overall encryption 
process takes 47,528 cycles. 

2.3 Handling the Key 

When the result of one of the 32 functions is computed it must be XOR-ed with the key 
and then passed to the adjacent word to be XOR-ed with the appropriate bit. The same 
key encrypts all the blocks at the same time and it can be included by XORing the key 
vector, K ( '\ into the match words. For instance, assume that "11001100 10101110 01001100 
11100101" is the 48 bits of key being used in a round and the minterms from equation 1 
define the s-box equations. Then the operations in example 2 become: 

MATCH"Qlll **»...* **" -> Ri 
CALCRi -* R2 

MATCH"0 * * . 11 * * . . . * **" — Ri 

CALCRi ■ Ri — R 2 

M ATCH" * 0 * *0 * * ... * **" — R\ 

CALCRi ■ R 2 ->• Rx 

(3) 

The same key is used to encrypt or decrypt each block of data in the simple version of 
DES. There aTe 56 key bits, but only 48 of them are used during each of the 16 different 
rounds. The bits being used are maintained by the program running on the general machine 
that is driving the Coherent Processor . It selects the subset of 48 bits that are used in each 
encryption and modifies the s-box functions accordingly. 

This method presupposes that the sixteen 48-bit subsets of the keys are precomputed and 
"compiled" into the code. This process is non-trivial and certain to cost some time. When 
the amount of data encrypted or decrypted per key change is large, then this "compilation" 
time is minimal. If the key is changed frequently,then there may be some impact on the 
encryption times. It is not likely to impact the overall throughput, however, if the CPU 
driving the CAM array is fast enough to interleave operations in between the various CAM 
instructions. This is not unreasonable because many of the CAM instructions take 2 to 4 
cycles to complete. A modern pipelined RISC architecture should be able to complete the 
key scheduling instruction inbetween. A better understanding of the effects of this will need 
to wait until the software is completely implemented on a working system. 
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2.4 The Total Cost 

The current version of the Coherent Processor will run at speeds up to 50 MHtz. If an 
encryption takes about 47,428 cycles, then each pair of words in the processor array can 
encrypt about 1,000 64-bit blocks per second. Writing a word into the array and reading it 
out takes 5 cycles in total. One chip of the current model has 1024 words or processors, so it 
can read in, encrypt and write out blocks of 32K in 52,548 cycles. This is equivalent to 31.2 
megabits per second- something that is in line with the middle range of current DES chips. 
The Cryptech CRY12C102 data sheet reports that it runs at 22.5 megabits per second and 
the Pijnenburg PCC100 attains 20 megabits per second. Moreover, the Coherent Processor 
is designed to be easily expanded by linking together multiple copies of the chip and n chips 
will n times faster for small numbers of n. When there are hundreads or thousands of chips, 
the cost of writing and reading the information from the Coherent Processor becomes the 
limiting factor. Coherent Research reports that the new chip will cost about $100 per copy 
in small quantities and substantially less in large ones. 

3 Exhaustive Attack on DES 

When DES was introduced in 1977. some computer scientists protested that 56 bits were 
not sufficient because it would be possible to do an exhaustive search of the key space m a 
short amount of time using a massively parallel computer. In their book, Meyer and Matyas 
[MM82] discount that possiblity and predict that it would just not be physically possible to 
build the machine until the 1990 's because there were too many physical limitations. Heat 
and power usage are two major barriers. Dime and Hellman describe the design in detail and 
respond to these criticism in [DH77]. 

How easy would it be to build one today? Standard off-the-shelf encryption chips are 
plentiful and relatively cheap, but they require a second processor feeding them the keys 
and the test cases. Anyone who wants to build such a machine must undertake a project 
of building such a large array of distributed computers. This would require a large amount 
of custom design work. A truly dedicated attacker could even fabricate custom DES testing 
chips which have a built in circuit for incrementing the key by one bit and testing the result 
against another register. Only governments could afford a budget this large. Moreover, the 
slightest change in the algorithm would render this machine worthless. 

Garon and Outerbridge calculated the approximate costs of designing such a machine and 
found that it would cost about 8129,000 for a machine that would break DES within 1 year if 
the machine was built in 1990. [G091]. They also say that a machine that could exhaustively 
search all the bits in one day for $46 million in 1990. This price would drop to S18 million 
in 1995. They assume that it is possible to build a node that encrypts 2 million key tests for 
525 in 1990 in order to complete such a machine. They do not describe the details of how to 
design the board or manufacture it is sufficient quanties. 

The Content Addressable Memory array chips, however, are designed to be built into 
large parallel arrays of chips. It is already possible to buy a board for a PC which has 64 
chips of a previous model of the Coherent Processor . Large arrays should not be hard to 
create. Moreover, the algorithm is implemented in software, so the machine can also be used 
to attack many other subtle and not-so-subtle variations of DES. 

What is the best way to do an exhaustive search with the current architecture of the 
Coherent Processor? The version described for simple encryption and decryption is able to 
work very quickly because it can encode the key in the stream of instructions fed to the 
Coherent Processor. This approach must be abandoned because an exhaustive search of the 
key space requires that each processing node must use a different key. 
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One alternative is to store the key bits in the 10 extra tag bits stored at each node. Two 
nodes are used to hold the two 32-bit half-blocks of each case, so there are up to 20 extra 
key bits which can be stored at each node. Let there be 2 n processors in the machine. That 
means there are 2 n_1 potential keys that can be tested with each round because two nodes 
are used for each encryption. Assume that n < 21 and the problem does not overflow the 
physical space of the real machine. (Later versions of the architecture could have more free 
bits available.) At each pair of nodes, store a unique set of n — 1 key bits. These bits will be 
used by this pair of nodes alone. The other 56 — (n - 1) bits are shared by all the instances 
and they are encoded in the instruction stream as before. 

At the beginning of each round of encryption, the local key bits must be XOR-ed into 
the appropriate half-block of bits before that half-block is passed through the s-boxes. These 
four or five instructions will XOR in the key bit K l in to position Bj : 

MATCHKi — R\ 
SHIFT 

MATCH Bj - R 2 
CALCRiXORRn - R-i 
WRIT ECO L U M N R? — B, 

(4) 

The SHIFT instruction is only necessary if the key bit is on the opposite node from the 
destination bit. This process is repeated at the end of the s-box calculation to remove the bit 
from the data. Only 48 of the 56 key bits are used at each round, but it is possible that up to 
n - 1 of these bits will come from the bits stored locally. The operations in equation 4 take 16 
cycles. They must be repeated In — 2 times for each round. The result takes 512ra — 512 extra 
cycles for each encryption. If a machine was built with a full complement of 2 21 processors, 
then it would take 57,126 cycles to test 2 20 potential keys. This step must be repeated 2 36 
times and the machine is capable of doing about 875 of these tests per second or about 1 6 
million per day. Exhausting the entire space would require 904 days. If the well-known trick 
of exploiting symmetry in the keys is used to reduce the key space to 2° 5 keys, then one 
machine will test all in 452 days. 

How much would such a machine cost'? There are 2 IJ processors on a chip that will cost 
between $30 and S100. 2 11 chips are necessary and this would cost between about S60,000 
and $200,000. Control hardware would add additional S10.000 to $20,000. 45 machines would 
cost about $3 million dollars and exhaustively search the space in 10 days. S30 million would 
buy a machine that would search the space in 1 day with 450 machines. I'm assuming that 
volume discounts would apply at this scale and $30 is a price that should apply at the end 
of 1992 when the chips become widely available. 

Although this design is still hypothetical, it is much more real than some of the other 
designs available because the chip fabrication and design is already complete. The process of 
building a machine out of chips is not much different from connecting a large bank of memory 
up to a single processor. This paper does not pretend to addresss any of the important 
questions about heat and power dissipation. These could also affect the design and it is 
possible that my estimate of S10.000 to S20.000 for the support hardware is too low. 

The standard assumptions about time and transistor density should apply to this model 
as well. It is entirely conceivable that we will see larger improvements in density and price 
of these machines in the near future because they are younger designs. 

The UNIX password system uses a version of DES that was presumably modified to make 
it impossible to gang together a number of off-the-shelf DES chips and use the system to 
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break UNIX passwords. This large machine, however, is not constrained by this modification 
or any other modification that re-arranges the pattern of s-boxes, permutations and mixing. 
The salting process used in the UNIX password operation is easy to express with extra 
bit swapping operations. The only problem with attacking systems like Merkle's Khufu is 
expressing the s-boxes as minterms. Incidentally, logic minimization is also easily handled by 
the Coherent Processor . 

The availability of these systems puts even more pressure on the Unix password system. 
In 1989, Feldmeier and Kam [FK89] estimated that the UNIX password system was insecure 
for short alphanumeric passwords because a DEC 3100 could process about 1000 passwords 
per seconds. Given that each password needs 25 passes of DES, then it is possible to estimate 
that a Coherent Processor based processor will be able to test about 20,000 passwords per 
second per chip. If a basic Coherent Processor processor comes with between 8 to 64 chips, 
then it is easily possible to imagine computers with the ability to test between 160,000 and 
1,280,000 tests per second. How fast could such a standard machine test all passwords made 
up of 6 alphanumeric characters ("A" - "Z", "a" - "z", "1" - "9")? Between about 3.75 days 
(8 chips) and about half a day (64 chips). A large scale machine with 2*1 chips should be 
able to tackle passwords with 7 alphanumeric passwords in about one day. 

4 DES with Modified Chaining 

The last several sections described how to encrypt a large block of data in parallel using a 
simple DES with no feedback. A more robust version of DES feeds the result of encrypting 
each block into the key selection of the next block. Let Ei = f(K,B{) represents the ci- 
phertext blocks. A feedback cipher sets Ei — f(K, Bi 0 £\_i) where represents boolean 
XOR. E 0 is set to a pre-arranged constant. This process is called Cipher Block Chaining 
(CBC). 

The modification adds a great deal of strength to the plain DES because it reduces the 
redundancies that can developed if there is an 64 bit block that occurs often in the plaintext. 
The feedback mode ensures that a different value will permute each block and obscure the 
redundancy. It should be obvious that this system cannot be used when all the blocks are 
computed in parallel. Here is a modified version of chaining that can be implemented in 
parallel. 

One solution is to exchange and XOR bits with neighbors at the end of certain rounds 
of encryption. In round 1, the left half of each block is used to compute the value XORed 
into the right half. After this, the left blocks are exchanged with the neighboring blocks and 
XOR'ed into the right halves of the neighboring block. This can be done with pseudo-code 
like this. Wi is the left half and Wi+\ is the right half. 

for k:=0 to 31 do 

MATCH Wi[k] — R l 
CALC COPY Rx -+ R 2 
SHIFT 
SHIFT 

CALC XOR R1R2-+ Ri 
WRITECOLUMN R, - W i+1 [k] 

This command shifts one bit to the next pair of words over and XOR's it with the value of 
a neighboring block. It takes 16 cycles per bit to achieve this. This can be repeated as often 
as desired at the cost of slowing down the entire encryption. Doing this at the end of each 
round of encryption costs 8,192 cycles and this slows the encryption rate to 27.0 megabits 
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per second. In this case, a change in block Bi will propigate through blocks 5; to Bij.\s and 
effect their encrypted values. Arbitrarily complex shifting can be included as long as care is 
taken to ensure that the results can be reversed. If this step is done often in the process, it 
can effectively turns the encryption into one large block at a small decrease in speed. 

5 Conclusion 

This paper has described a simple architecture intended for information storage and retrieval 
that can also encrypt and decrypt messages faster than all but the best specialized chips. 
More importantly, the results are achieved in software so the process can be extended to 
other DES-like systems without refabricating the chips. The only problem is expressing the 
s-boxes so they can be implemented with minterms. This should make the chip much more 
desirable for many implementations of DES that require more flexibility than extreme speed. 

Chips like the Coherent Processor also make it very easy to create a large-scale processor 
for exhaustive cryptanalysis of the key space because the chips were designed to be grouped 
together in a large array. The hypothetical machine described here is much different from the 
other machines described in the literature because it is both reprogrammable and substan- 
tially closer to being realized. Only a minimal amount of logic is necessary to turn the chips 
into machines that are able to handle DES and variants of DES like the UNIX password 
system or Khufu. 

The flexible software structure also provides an easy method to test for broken chips. It 
is possible to load each line with a test vector, encrypt them in parallel and then test for 
failures with a MATCH instruction. Many of the earlier designs for large machines needed 
to build in a specific test function to maintain the system. 

There are several changes to the Coherent Processor that would improve its ability to 
encrypt DES. Currently, the key is "compiled" into the program for the CAM and this may- 
be a non- trivial event. If future versions of the architecture have more that 42 bits per word, 
then it could be practical to store the key locally and add the key in bit by bit as it is done in 
the brute force attack. Also, the current version of the Coherent Processor will only compute 
3 bit functions. 4 or 5 bit functions may be quite practical and they would certainly speed 
the results of the process. 

Working hardware is due in early 1993 and this will provide an opportunity to develop 
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7 Appendix 

Some minimal representations of the s-boxes provided by Luke O'Connor. 5j represents the 
function for the first bit of the second s-box. The means means logical or. The logical 
ands in each clause (implicant) are left out to save space. A variable with a bar over it "xe") 
represents NOT i6- 

x 2, *3, X4, ^5, Xg) = XiZ2XzX^f 6 + IiX2f^sXe.+^\l2lAX^Xli^-XiX2f2Xii^^\^2 x ^i x i~ 
X\X2X~3X~5X$ + £1X21415X6 + ZiX"2X 3X4X515 + X2X3X 4 Z5X"6 + 1 1 X 2 X~3 X5 x"s + X 1X3X4X5X6 + 
X2X4X 5 X" 6 -f X";2T 3 X"4X5X S -4- X i X~ 2 X3 X~ 5 X 6 + X 1 X2X4X5X1; + XlX~3X4X 5 X 6 4- X2X3X~4X~5Xg 4- £2X4X5X5 

S^Xi, X 2 , X3, X4, X 5 , X 6 ) = x"lX" 2 X" 4 X5X"5 + x\x 2 X i X A X i X(, + X" 1 X 2 X 4 X 5 X"6 + X 1 X' 2 X~ 3 X5X6 + 
X"1X"2X 4 X" 5 X6 -I- X 1X3X4X5 + x"iX2X"4X5X6 + X~ 2 x" 3 X~ 5 x"" 6 -f- X^X^Xs + X~ 2 X3X~4X 5 X~6 + £1X2X325X6 + 
XII2X3X4I5 + X2X3X4X5X6 + X"2l 3 X"4l5X 6 + X^X^x", + X:X2X4X 5 X 6 -r 11X3X4X5X6 

S 3 (x\ , X 2 , X 3 , X 4 , X 5 . X 6 ) = XiX2X~4X~sX~s + XlX2^3^S^« + X 1 X 2 X 3 X4X i X 6 + 11X2X3X4X^X1} + 
X\ X~ 2 X 3 X 4 + l"l X~ 2 X 4 X 5 X 6 + X"i X 2 X3 X4 4- X 1 X~ 2 X 4 X" 5 X~ 5 + X~ 2 X 3 X 4 X5 X$ 4- X 1 X~2 X 3 X 5 X~6 + X 1 X 2 1*3X4X5 + 
XiX2X"4X"5X 6 + XiX3X"4X5X" 6 + I 1 x"2X"3l"4X"5l s + X 1 l"2X 4 X5X 6 + XiX2X4X"5X6+X2X~3X5X6-t-X 1X2X3X5X5 + 
X2X3X4X5X6 

5^(Xi , X 2 , X 3 , X 4 , X 5 , x 6 ) = I~iX"2X3X4X" 6 4- X-1X3I4X5X6 + x'iX2X3X 5 X 6 4- x"iX"2X"3X"4X5X6 + 
ZlX2XiX5 + XlX2XaX4XsX6 + X~iX2X3X~i + XlX3X4X~sX e +Xil2X3X\X5X~G^ 



585 



X\X2X3XaXs + X2X~iX~sX6 -~XiX 2 X~5X~6 + XiX 2 X3l 5 2 6 + X~2X 3 X4X 6 -f ^113X41516 + 11X2X3X4X6 + 

X1X2X3X5 + 11X3X4X5X5 

Si (£1, Z 2 , X3, X4, X 5 , 2 6 ) = Z"i2~2X3X5X 6 4" i"il2l3l4l5J6 + 1113X41516 + X~lX3X 4 X5X~6 + 
x'l^XsX'sXs + X - ! 12X3X4X6 + X1XJX3X4X5X6 + X2I3X4X5X6 + £1X2X3X5X15 + X 1 X~ 3 x" 4 X 5 26 + 
XlX 2 X~3Z4r~5X6 + X 2 X3X"4X 6 X« 4- X 2 X3X4X 5 £~ 6 + 2" 2 232425X6 + XlX"2X~3X~5X6 + X- L X~2X~ 4 X 5XS — 
X2X3X"4X" 5 X6 4- X2X"3X 4 X5X 6 4- 22X3X4X5X5 + X]X 2 X4X 5 X 6 

Sj(zi, X 2 , X3, X4, X5, X 6 ) = X 1 X 2 X4X 5 X6+x"lX2X3X5X6 + X~iX2X3X5Xl5+X"iX"2X3X5X6+xlX2X3 2 4 I 6 + 
X~lX 2 X4X5 4-X~lX5X~4X 5 X6 + X~iX 3 X~4X~ 5 + l"iX3X4X5X6 + XiX~2X~4X5X6+^ 

X1X2X4X5X6 + X 1 X2X3X4X 5 X6 + X 1 X 2 X4X" 5 X 6 4- XiX 2 x" 3 X 5 X 6 + X1X3X4X5X6 + Zi2 3 X42~526 

5|(xi,X2,X3,X4,X 5 ,X6) = X1XIJX3X4 + 2iX~2X 3 i" 5 Z~ 6 + X~i X 2 x"3X4X 5 x" 6 + X"i X 2 X3Z4Z~5X6 + 
X 1 X" 2 X" 4 X~ 5 + X"l X" 3 X 4 X 5 X 6 + X _ ! X 3 X" 4 X~ 5 X 6 + X 1 X~2 x"3 X 5 X~ 6 4- X 1 x~ 2 2~ 3 X 4 2~6 + 2~ 2 X 3 X 4 X 5 X~ 6 + X _ 2 X 3 x" 4 X~s + 
XlX"3X4XgX" 6 + XiX2X3X5X" 0 -+XiX2X3X4X" 6 + X2^3X4X5X"64-X _ 2X3X5X 6 +XiX 2 X^3X"4X 6 + XlX3X4XliX6 + 
22X3X4X3X6 

S\{x\, X 2 , X3, X4, Is, X6) = x"lX 2 X4X 5 X" 6 + r ; f' 3 ^ 4 x 6 ~x"iX2X' 3 X5X"6 + X"iX3X4X _ 5Xl3 + X^X2X~3X5X6^ 
X"lX 2 X4X5Xij + XjX2X4Xs + XiXvX^XsXg + 11X2X3X5 4- 22X3X4X5X6 + X2X4X5X6 + 2lX 3 X~425X5 4- 
XiX" 3 X'4X _ 5X s + X 2 X"3X 4 X5X6 + X 2 X 3 X 5 X S 

5'l (Xl, X 2 , X 3 , X 4 , X5. Xs) = XiX"2X4X"5X s +X"iX2X3X~4l5+x" 1 X 3 X4X _ 5X6 + X""lX2X3X*4l5+X"lX2X3X4X5X6 + 
X"lX2X"3X"4X54-x"lX2X4X5X5 + XiX~3X4X5X 6 + x"iX 2 X~4X5X 6 + XiX2X3X~ 5 X6 + X"2X 3 r4X5X"6 + Xl X2X4XI5XS + 
XlX~ 3 r4X" 5 X" 6 + I l X 3 X4X5X6 ~ X1X3X4X5X6 + X 1 X 2 X3X4l'5X" S T XiX"" 2 X _ 4X5X5 + X 1 X~2X4£ 5 X6 + 
2223X4X5X6 + I1I3I4X5X6 + X 2 X 3 X^X S + Xir 2 X 3 X4X5X 6 

Sj(ll, X 2 , X 3 , X4, X5, Is) = X^iXlzX3X"5X^+xlxliX4X5X"s + X"iX2X"4X5X"6 + X"lX"2X3X _ 4X^ + X _ iX"2X4X5X6 + 
XlX2X"3X4 + X"]l2X3X~5X6 + X"lX3X4X"5X6+XlX 2 X3X5l"6+XlI~2X%X5X5+XlX2X 3 X"5X"6 + XlX2l4X5X" 6 + 
XlX3X 4 x"5X 6 + XlX2X3l"4X" 5 X 6 + 2 : 2 2 X~32~52 6 + XiXoX'iXjXe + I 1 X 3 X 4 X5X6 

Sf (<El> X 2 , X 3 , X4, 15, X 6 ) = xlx"2X4l"5X"6^X"tX3X4X5X"6+X"iX3X5X>4-xlx 3 X4XlT-X"lX2X3X"4X"5X6 + 
X"l X2X3X4 X5X6 + X ] X2X4X5X6 + X2 232~4 25X54-2 t 22X3X5I64-X3X4Z5X64-2 1X2X3X5 X5 + X2X 3 X~4X5 X5 + 
X"2X 3 X"4X" 5 X S + X" 2 X3X4X 5 X6 4- XlX^X^XjXs + 21X2X4X5 + X 2 x" 3 X4X 5 Xo + XlX 3 2~42~g2 6 

51(11, X2,X 3 . X4, 2 5 , X 6 ) = l"ix' 2 X4X"5Xl ; +2"iX _ 2X3X 5 x" 6 + X^X 2 X3X5X" 6 + x"iX2X3X5X6+xrix" 2 x'4X5X s + 
x"iX2X4X" 5 Xa + X"i 13X3X5X6 4- XiX" 3 X~4X"5X 6 + XiX"2X~3X4X5X'6 + 22X3X425X5 4- X 2 X 3 X4X5Xa -f- 
*2X3*4*«+*2^4^5^6 + *l*2X3*4*5«« + XlX3f3X5*« + XlXSX3X(X8+*l«3X9XsX« + *! r 2 £3X4X5 

5i(xi, Z 2 , X 3) X4. X5, X«) = x"iX" 2 xl5X"425 + X _ lX^X4X"5X"6 + x"iX"3X4X"5Xl5T-X"lX2X3X~4X"64-XlX3X4X5X T 5 + 

x"iX2X 3 X r 5X64-x"'iX3X"4X5X54-X'i X2X3I4 X6^-X~2 X3X4X5 X~6 + 2 1 2 2 X 4X~5X64-X 1 2*2X3X5 f 6 + X 1 X3X4X 5 X6 + 

X1X2X3X4X5 + 11X2X3X4X5X5 + X2X3X4X5X6 4- 2ir" 2 x 3 X5rs 4- xix-^x^x^x^ 4- X1X2X4X5X6 4- 
22X4X5X6 

5 2 (X2, X 2 , X3, X4, X 5 , X S ) — XlX2X 3 X~^X 6 ^X~iX 3 X4X^Xf J +X\f2X3X4Xs~X\X^X^X 5 Xs+XiX3X^X^X s + 
2"iX 2 X3X4X"5 4- 2*2 X3X*4X5 2*54-XiX32425X~64-Xi2 2 X~4X~ 5 2*64-2 1X3X42*5^ 

X"2X" 3 X4X5X 6 + XiX" 2 X 3 X42"5 4- l223X4X 5 Xtj 4" X 1 X2X3X4X _ 5X 6 + XiX 2 X 3 x"4X6 4- 21X2X3X5X5 

S^Xi, x 2< S S, X4, X 5 , X S ) = XiX~2X3X s Z~e + XlX" 2 X4X5X"6 4- xlX2X 3 X~4X5 + Xl22 23X4Z-5X r 6 + 

XlX3X^X5X" 6 4-riX22"4X"5X64-XlX" 2 x"3X5r64-X - 2 X32"4X"5X6^X2l3X"4X5Xs4-X 2 X- 3 X4X"5X 6 4-XlX2X4 I 5Xs 

Si(Xl, X 2 , X 3 , X 4 , X S , X S ) = X 1 X3X i X~3X s ±X 1 X2X 3 X i X~ s + X 1 X2X4XsXe + I] X2l3X5X6 + XlX" 2 X4X5X6 + 
X 1 X 2 X3X"4X 5 X S 4- ElI 2 X3X4X" 5 + x""iX 3 X4X5X 6 4" X2X 3 X4X5X" 5 4" Xil" 2 X 3 X5X" s + XiX 2 X"3X" 4 x"6 + 
2iX~324X"5X"64-X22~4X _ 52~6+ri2" 2 X4J5X ? 4-X~ 2 X32 _ 425264-X:2 2 23X4 
XiX 3 X4X5X$ 

5j (ll, X 2 , X 3 , X4, X 5 , X 6 ) =z X";X _ 2X4X5X" 6 4-Xlx 2 X4X5X^4-xlx2X4X~5X"64-2^lX"3X4X5X 6 4-x"lX 2 X4X"5X 6 4- 

Xl X 2 l3X~4X5X6 + X L X3X4X 5 + XiX 3X4X5 X 5 + XlX2X3X~4Xs4-riX 2 X3X4X 6 + XlX 2 
X" 2 X"3X4X6 4- X 1 X 2 X~3X" 5 X S 4- XiX" 2 X3X 5 4- XiX"3X4X5X 6 4- X2X3X4X5X6 4- XiX 2 X 3 X"4X'5X 5 

5 2 ( X 1' x 2, X3, X4. Ij. X 6 ) = X""iX2X"3X4X"5X" 6 + x" ; 2 3 x" 4 x" 5 X" 6 4- x"iX _ 2 X 3 X4 X 3 X" s + l"i 2" 3 24 X 5 x" 6 + 
x"iX 2 X 3 X5X6 4- l"lX 2 x"4l5X6 4" x"iX 2 I 3 X"5X6 ~ x"lX2X 3 x"5X 6 4- x'l X : 23X4X5X5 4- XiX"" 2 X3X4X5 4" 
XlX"2X3X 4 X~5X6 + X 1 X3 X" 4 X _ 5 x" 5 + XiX 2 X~3X 5 x" 6 ^ X2X3X4 X5X4 4" X 2 X3l4X5X" 6 4" X1X2X4X5X6 + 
XiX~2X"3X4X64-X2 2"324X5X64-X" 2 X3X"4l5l64-Xi2 2 24X5X5+X2X - 3x"4X"5X 6 4-X] X2X42SX54-X1 X2X3242'52s 

■S^Xl. X 2 , X 3 , X4, 2 3 , x e ) = x"iX"2X 4 x4 i 2"i;-t-x' 1 X"2X3X' 6 4-X _ l X 2 X''3 244-x"lX3X4X"5X 6 4-2"lX~2X4X5X S 4- 
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XlX 3 XiX 5 Xe + XiX2X S X s Xs + Xl X2X4I5 + X1 X 3 X4X5X s + X 1 X 2 X 3 X3X 6 + X~2X3X A X~sXs+X 1X2X3X4X5-1- 
£2X3X4X51$ + X1X2I3I4X5 + 11X2X3X4X5 t X1X3X4X5X6 + X2X3X4X5X6 

Sl{ x l , 12, X 3 , X 4 , X 5 , I 6 ) = X- 1 X 2 X3X4X~ 6 +l\X3X~4X~5X~6-\-x\X2X4X5Xs-{-X i X2X~4X5X e + x\X2X3X4X$-^ 
XiX2£3XsXi+X i X2X4£f,X s +£iX 3 £4X i X e +Xi£2X4£5£ S -T£2X3X4X i Xe+XiX2£3Xi£6+X2£3X5X 6 ^- 
£3X4X5X5 + X 1 X3X4X5X~g + XiX~ 2 X4X~5X6 + XiX2X 3 X 5 + XlX 2 X 3 X 4 X 6 + 

5f (ll,l2,r3,l4, 13,16) = X~\X~2X4X5X S + X l X 2 X~3X4X5X fi + £1X3X4X5X6 + X~lX 3 X 4 Z 5 X~6 + 
XlX2X3X4X$ + X~lX2X3X4X 6 + X\X 3 X\XsX 6 + X 1 X2X^XiX6-{-X~2X~3XjX 6 +XiX2X^^ 
11X3X4X5 + XiX~2X4XsX$ + XiX2X 3 X S X S + £2X3X4X5X6 + 11X2X3X4X6 + X 2 X 3 X4X$X$ 

S2(x\,X2,X 3 ,X4,X b ,X 6 ) = £1X2X3X4X^X5 + X l X 2 X4X5X$ + Xl X3X4X5XS + £1X2X3X5X6 ~f~ 
X l XnX4X5XG+X 1 X2X3X4Xs+X 1 X2X3X5Xs+Xi.X2X3XsXs+XiX 3 X4XiXs+Xi£^ 

x l X2£ 3 x'5£(> + Xi£ 3 X4£ i £i i + xiX2X 3 x s x s + x^x^x^x'sxe + xix- 3 x 4 x 5 x 6 + x~2X 3 x 4 x 5 x 6 + 

X 1 X2X3Z 4 X~5 + X 1 X2X 3 X5X 6 + X2X~3X 4 X5X6 + Xi X2X 3 £4£sX e + X1X2X4X5X5 

5f(Xl , X 2 , X 3 , X4, Xi, X$) = X _ iX2X _ 3X4X _ 6 + riX2r4X"5X"6+xlX3X4X5X 6 + XiX2X3X4X6^X'iX3X" 4 X5X5 + 
x"lX3X4X 5 X6 + X1X2X4X5X6 + £1X2X3X4X5 ~ Xil2X 3 X4X~5X 6 + X 1 X2X3X~ 4 l5 -r X~2 13X4X5X6 T 
XlX"2X3X"4X" 5 X 6 + Xj.X 3 X4X 5 X6 -f 1 1 X 2 1~3 X~ 4 X~ 5 + X 1 X2X 4 X5X" 6 + X 1 X2X 3 X 4 X" 6 + X2X3X4Z5X5 + 
x"2X3X"4X5Xs + XlXlX4l"5X64-XiX"2l3X4X6^X2X3X 4 X^X6 + XiX3X^X5X 6 + X2X3X 4 X5X6 + XlX2X4X'5X^ 

5|(xi, X2, X 3 , I4,X 5 , X 6 ) - x"lX"2X3r"4r"5 + x"iX2X4X"5 + x"lX2X3X5X"64-x"iX"2r3X4X6+x"lx" 3 i"4X5 + 
riX2X4X5+XlX"2X"3X5l~6 + r2X"3X4XsX"6 + XlX2X4X5X6 + XiX3X4X"sX~$ + X2X3X~4X5X~6+X2 X3X4X5 £n + 
XiX2X4XsX e + £2X3X5X6 + X[ X2X~ 3 x" 5 X 6 + X 1 X 2 X4X 5 X5 

S' I 7 (X1, X 2 , X 3 , X4, X 3 , X 6 ) = x" 1 X 3 X~4X 3 x"s + X" 1 X"2X 3 X" 5 X6 + XiX2X~3X4X~sX 8 + X 1 X 2 X" 4 X.5X"6 T 
x"lX"3X"4X"5X 6 + X l x"2X 3 X5X6 + l"iX 3 X4X5Xs^x"iX2X3X4X" 5 X6+XiX"2X3X4 + x"2X3X"4X5X~6 + x"2X4X5X" 5 + 
riX2X3X4X"s + XlX2X3X4X5X6 + XiX2X3X5XfS — x"2X~ 3 X4 Ijlj + X 1 X3 X4X5 + X lX~2X 4 X 3 X6 + X2X3X4 XsX^ — 
XJX2I4X5X6 + 11X2X4X5X5 

Si(Xl , X2, X3, X4, X5, Xs) = XiX2X 3 x"5X6-rX"ll3 14X5-!- x"lX"2X4X5 + X~i X22~3 X~ S X6 + X~i X2X3 X 5 X, 5 ~- 
X 1 X~ 3 X~4X 5 X~ 6 +X ! X~2X 3 X~ 5 X~s+X~2 X4X5X~ 6 +X2X 3 X4X 3 X6 - X 1 X 2 X 3 X 4 X~ 5 X 6 +X ! X 2 X 
XiX" 2 X 3 X 5 X s + X 1 X2X3X 5 X 6 + XiX2X 3 X4X~ 5 X 6 -f Z2X4X5X6 

S 3 (XI, X 2 ,X 3 , X 4 , X 5 , X 6 ) = I^X^X^ -(- X" 1 X"2X 3 X" 4 X'3X"6 + l"; I3X 4 X 5 X~6 + X"lX;X 3 x"4X 5 - 
XlX2X3X4X~ 5 £ 5 +X\£2X 3 X4 + £iX2£4X6 + XiX3X4X 5 I 6 ~XiX2X3X 5 X 6 -]-X 1 X2X4X\Xe-i-X2X3£4X^Xai- 
Xir2X"3X" 4 X" 6 -r Xil3X 4 r~5X6 -(- 11X3X4X5X6 + XiX2X3X""4X 6 + X2X3X4X5X6 - XiX2X 3 I 4 X5X5 -r 
X2X3X4X5 + X 1 X3X 4 x" 5 X6 

^{(xi , x 2 , x 3 , x 4 , x 3 , x 6 ) = x^x^x^x^isx^ + £ l x2£ 3 x i £6 + £1X2X4X5X6 + £ 1 X3X 4 Xr,X6 + 

X _ lX3X 4 l5X 5 -t-I _ ir2X"3X"5X 5 + r 1 X _ 2X~3X 4 r5 + x" 1 r"2X 4 r"5X6 + X~lX"3X 4 x" 5 r 6 + x"iX3X" 4 r5X6 + X 1 X^ 
X 1 X"2X" 3 X4X" a -fX 1 X2X"4X5X _ 6 + X : X 3 X" 4 X5X" 6 + XlX3X 4 x"5X" 6 + XlX"3X" 4 X5X 6 + x"2X"3X 4 X"5X 6 +X 1 X^X 3 x"4X" 5 X S 
XlX2X 3 X4l5X6 + XlX2X~ 3 X~ 4 X6 + X2X3X4X5X6 + X1X2X3X5X6 + Xil2X3l4X~5 

Sf ( X 1 , X 2 , X 3 , X 4 , X 5 , X fj ) = x"l X~" 2 X 4 X~ 5 x" 6 -f X _ l X "3 X4 X5 Xj + x'j X 2 x" 3 X 5 £r] + X _ l X n £ 3 X 5 X 6 T £1 X 2 X 3 X~ 4 X~ 5 X s -f 
X1X3X4X5X6 + 11X2X3X4X5X6 + X"iX2X 3 X 4 X5 + XiX2X' 4 X5X"6 -T X~2X3X" 4 X5X" I 5 + i~2X 3 X 4 X5X~6 - 
X 1 X;X" 3 X4X 6 -(-X 1 X 3 X"4X"5X' 6 + Xi X2X 4 X5X _ 6 + X"2 x"3X 4 x"5 X 6 — X1I2X3X5XS — X ; x"2X4X"5X6 + X; X 3 X4X" 5 X 6 -j- 
X1X2X3X4X6 + X 1 I 3 X4X"5X6 + 11X3X4X5X5 

5? (Xl, X 2 , X3, X 4 , X 5 , X 6 ) = x" 1 x"3X4X5X~ 6 -x" 1 X 3 X4X" 5 x"6+X"iX2X4X5X' 6 +X"iX"3X"4X5X6 + X _ iX2r4X'5X6-t- 
X~l X" 3 X 4 X" 5 X 5 -)- X" 3 X" 3 X4 x" 5 X~6 + X 1 X~2 X 4 X 5 X _ 6 + X~2 X 3 X _ 4 X 5 x's ~ X 1 X 2 x" 3 X 5 x"" 6 + X 2 X 3 x" 5 x" e + X _ 2 X3 X 4 x" 5 X 5 + 
XiX"2X 4 X5X6 + XiX" 2 X 3 X"4X"5X6 + x"2X3X 4 X5X6 + I2X"3X" 4 X 6 + X2X* 4 X 5 X5 + XlX2X3X 4 X" 5 

■S|(xi, X 2 , X 3 , X 4 , X 5 , X 6 ) = x"iX2X" 3 x"5X" 6 + x"lX _ 2X"4X5 + x"iX2X3l5 + x" 1 X2X~3X 4 -f x"iX2X4X 5 + 
X"lX3X4X5X6 + XlX2X~3X*4X"6-t-XlX"2X3X4X~6-|-X2X"3X4X"5l"6— X ; X2X3X" 4 X~ 6 — X; X 2 x"" 4 X5I6 + X 1 X~2X"3X 4 X6 + 
X~2X 3 X" 4 X 5 X6 + Xil3X4X"5X 6 + XiX2X 3 X" s X 6 — X2X3X4X5X6 

5f(xi,X2,X3,I 4l X5,X 6 ) = £ l X 2 X 3 X i £fS ~ X 1 X2X 3 X 4 Xs + X^X2X"3X 4 X5 + x'iX2X 3 X 4 X5X' 6 -f 
Xl 13X4X5 X~5 + X 1 X"2X"3X~5X 6 + x" 1 x" 2 X~4X5Xo+x" 1 X2l"3X5X 6 + r^X 3 X4X _ 5X 6 + X^2X - 3X _ 4X" 6 X^ 
XlX3X~4X~5X~6 + XlX~3X4XsX"6 + X2X3X"4X"5l" 6 + I 1 X2X3r"4-rXiX2X 3 X~5X~ S -rX 1X2X3 x"5X 6 + Xi X3X4X5X6 
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Abstract. In this paper, we show that the FFT-Hash function proposed 
by Schnorr [2] is not collision free. Finding a collision requires about 2 2i 
computation of the basic function of FFT. This can be done in few hours 
on a SUN4- workstation. In fact, it is at most as strong as a one-way hash 
function which returns a 48 bits length value. Thus, we can invert the 
proposed FFT hash-function with 2 48 basic computations. Some simple 
improvements of the FFT hash function are also proposed to try to get 
rid of the weaknesses of FFT. 



History 

The first version of FFT-Hashing was proposed by Schnorr during the rump 
session of Crypto'91 [1]. This function has been shown not to be collision free at 
Eurocrypt'92 [3]. An improvement of the function has been proposed the same 
day [2] without the weaknesses discovered. However, FFT-Hashing has still some 
other weaknesses as it is proved in this paper. 

1 FFT-Hash-II, Notations 

The FFT-hash function is built on a basic function < . > which takes one 128- 
bits long hash block H and one 128-bits long message block M. and return 
a 128-bits long hash block < H.M >. The hash value of n message blocks 
Mi , . . . , M n is < ... << H Q , Mi >. M 2 >,..., M n > where H 0 is a constant 
given in hexadecimal by : 

H 0 = 0123 4567 89a& cdef fedc 6a98 7654 3210 

The basic function is defined by two one-to-one functions Rec and FT2 on the 
set (GF p ) 16 where p = 2 16 +1. The concatenation HM defines 16 16-bits numbers 
which represents 16 numbers in GF P between 0 and p-2. (Rec o FT2 o Rec) [HM) 
defines 16 numbers of GF p . The last 8 numbers taken modulo 2 16 are the result 
< H,M >. 

* The Laboratoire d'hiformatique de I'Ecole Normale Superieure. is a research group 
affiliated with the CNRS 

E.F. Bnckell (Ed.): Advances in Cryptology - CRYPTO '92, LNCS 740, pp. 587-593, 1993. 
© Springer-Verlag Berlin Heidelberg 1993 
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We define the following notations : 

A(M) = H 0 M 
B(M) = Rec(,4(M)j 
C(M) = FT2(J3(M)) 
D(M) = Rec(C(M)) 

So, < H 0 ,M > is the last 8 numbers of D(M) taken modulo 2 16 . We define Xi 
the j-th number of X (from 0 to 15), and X[i, j] the list of the i-th to the j-th 
number of X . 

If Xi € GF p , i = 0, . . . , 15, we define j/_3 = #13. j/_2 = £\4: an d U-\ — ^15 ■ 
Then, following Schnorr : 

Vi = Xi + Vi-iVi-i -f Hi-3 + 2' (1) 
where y* = 1 if y — 0 and y" — y otherwise. Then, we let, : 

Rec(x 0 , ■ • = yo, ■ ■ ■■■ I/is 

If Xi € GF P . i = 0, . . . , 7, we define : 

i = 0 

where u> = 2 4 . Then, we define _FT(xo, .... x?) = yo, ■ • ■ ; y?- 

If Xi € GF p , i = 0, .... 15, we define t/o . y? ■ ■ ■ ■ ■ D\\ — FT{xo, X2, . . .,*I4) 
and j/i . J/3 , - . - , j/15 = FT{x\ , 13, . . . , j-.s). Then, we define FT2(xq. . . . , 2:15) = 
yo, ■ • ■ • J/15- 

2 Basic Remarks 

If we want to find a collision to the hash function, we may look for a pair (x, x') 
of two 128-bits strings such that < H 0 , x >— < Ho, x' >. In fact, we will look for 
x and x' such that D(x)[S, 15] = D(x')[8, 15]. 

First, we notice that we have necessarily C(x)[ll. 15] = C(x')[\l, 15]. In one 
direction, we show that C(x)i = C(x') 1 for j -- 11. . . ., 15. This is due to the 
equation : 

Ci^Di-D-i^D^-Di-s-l 1 

Conversely, if we have both C(»[ll,15] = C(x')[l\,lo} and D(x)[8, 10] = 
D(z')[8, 10], then we have D{x)[8, 15] = D{x')[& : 15]. 

Moreover, we notice on the equation 1 that B(x)[0, 7] is a function of 2 [5, 7] 
only. Let us denote : 

5(r)[0,7] = ff(i[5,7]) 
Finally, we notice that FT2 is a linear function. 
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3 Breaking FFT 



3.1 Outlines 

If we get a set of 3.2 24 strings x such that C(x)[ll, 15] is a particular string R 
chosen arbitrarily 2 , we will have a collision on D(x)[8, 10] with probability 99% 
thanks to the birthday paradox. We will describe an algorithm which gives some 
x with the definitively chosen R for any ar[5, 7] = abc. 

Given abc — £[5,7], we can compute B(x)[0, 7] - g(abc). If we denote y = 
B{x)[8, 15], the following equation is a linear equation in y ; 



FT2(g(abc)y)[l\A:~>] = R 
We can define a function d>R and three vectors U 0 . U', such that 
(2) 3A, A', jj, y = <i> R (abc) + XU e + X'U' e + jj.U 0 



ar[5, 7] = abc 
C(x)[ll, 15] = R 



(2) 



(see section 3.2). 

Finally, the system 



is equivalent to the system : 




= abc 



<p R (abc) + Ai.' e + \'UL + fiU 0 
Rec~ 1 {g(abc)y) 



Which is equivalent to 



y 

2/13 
J/14 
J/15 

x[hj] 
x[0, 4] 



0 R {abc) + \l\ + XU' e ■ 
a + 2/122/11 + 2/io + 2 13 

b + yhyh + vu +2 14 
c + yl 4 yl 3 + yi2 + 2 15 

abc 

Rec -1 («7(a6c)y)[8, 12] 



■/if 



(3) 



Is we substitute y by the expression of the first equation in the other equations, 
we obtain a system of three equations of three unknown A, A', fi. This system can 
be shown linear in A and A' by a good choice of U e , U 0 and U' e . Then, this system 
can have some solutions only if the determinant, which is a degree 2 polynomial 
in fj. is 0. This can gives some p.. Then, the number of (A, A') is almost always 
unique. For more details, see section 3.3. 

Finally, this gives 0 or 2 solutions x, with an average number of 1 for a given 
abc. If we try 1 < a < p, 1 < b < 768 and c = 2, we have 3.2 24 abc. 



2 For the collisions found in this paper, R is the image of my phone number by FT2. 
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3.2 Solving (2) 

The function X 1 — ► FT2(X)[ll, 15] is linear, and has a kernel of dimension 3. 
If we define : 

U = (0,0,0,0,4081,256, 1,61681) 
V = (0,0,0,0,65521,4352, 1,0) 

we notice that : 

FT(U) = (482, 56863, 8160, 57887, 7682, 0, 0, 0) 
FT(U') = (4337, 61202, 65503, 544, 61170, 3855, 0, 0) 

Let us introduce the following notation : 

(*o x 7 ) x {y 0 , . . . , 2/7) = (x Q , y 0 ,...,X7, Vi) 

We have FT2(X x Y) = FT(X) x FT(Y). Thus, we can can define : 

U e - U x 0 
U 0 = 0x U 
U' e ~ U l x 0 

So, we have : 

U t = (0,0.0,0,0,0.0.0.4081,0,256,0, 1,0.61681,0) 
U 0 = (0, 0. 0,0,0,0,0,0. 0,4081,0, 256, 0, 1,0,61681) 
U' e = (0,0.0,0,0.0.0,0,65521,0,4352,0, 1,0,0,0) 

These vectors are a base of the kernel of X < — ■ FT2(X)[11. 15]. 

If M denotes the matrix of FT, we can write it using four 4 x 4 blocks : 

If x and y are two vectors of 4 elements, we have : 

FT{xy){4. 7] = 0 <=> y = -M^M 2l x 

Let us define : 

/ 65281 4335 289 61170\ 
! 3823 8992 53012 65248 

1 1 22 1 21 ~ 8447 61748 56545 4335 
\ 4369 57090 3823 256 / 

Now, if x and y are two vectors of 8 elements, we have : 

FT2(xy)[8, 15] = 0 y = A'x° x iVx 1 

Where a: = x° x x 1 . Let us define : 

<fo(afcc) = 0(A r r° x Nx 1 + y°) 

where g(abc) - x° x x 1 and = FT2(0y°)[ll, 15] for an arbitrary y° (one's 
phone number for instance). Then, 0^(060) is a vector which begins by y(abc), 
and such that FT2(<pR(abc)) ends by a constant vector i?. 
So, we have : 

(2) 3A, A',/* # = 0 R {abc) -f \U e +- A'c^ + /^6 r „ 
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3.3 Solving (3) 



If we hope that no ?/,• (i = 11, 12, 13, 14) is equal to 0 (we may ultimately test 
this condition, and forget the solutions y which do not pass this test, but this 
will be very rare), the system : 

y = <t> R (abc) + XU e + \'U' e + iiU 0 

J/13 = a + y' u yli + 2/io + 213 
y 14 = 6 + y* 3 j / * 2 + y 11 +2 14 

yis = c + vUvh + J/i2 + 2 15 

x[b, 7] — abc 

,x[0,4] = Rec _1 (?(a6c)t/)[8,12] 



imply 



z 13 +fj, = a + {zx2 + A + X")(z n + 256^) + z l0 + 256 X + 4352A' + ? 
2 14 + 61681A = b + (z 13 + fi)(zr2 + A + A') + (z 11 + 256^) + 2 14 
z 15 + 61681^ = c + (z u + 6168lA)(- 13 + n) + {z V2 + X + \') + 2 15 

where z = <p R (abc). If we define : 



13 



10 + I - -13 



a = a + 3i2^ii 

= 6 + 213:12 + ~n + 2 14 
c' - c + zi4^i3 + ~n + 2 15 



-14 
*15 



we have 



/ z u + 256// + 256 z n + 256^ + 4352 a' - (1 - 256si 2 )m 
213+^-61681 ^23+M 6' + (256 + 3 12 )/i 

\ 61681 (z,3 + /f) + 1 1 c' - (61681 - 2 14 V 




= 0 



This is a linear system of unknown A and A'. If this system has an equation, 
which determinant has to be 0. 



3.4 Discussion 

This condition may be sufficient in most of the cases. The determinant should 
be a degree 3 polynomial. However, the coefficient of fi 3 is the determinant of 
the following matrix : 

256 256 (1 - 256*12) \ 
1 1 -(256 + z 12 ) 
61681 0 (61681 -zu)/ 

which is 0 since the first line is 256 time the second. 

The coefficient of p? is 0 with probability 1/p, this is rare. In this case, we 
have one solution if the equation has a degree one, and zero or p solutions in the 
other cases. 
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ix has to satisfy a degree 2 equation. If the discriminant is different from 0. 
it has a square root with probability 50%. So, we have two different p, or no 
solution with probability 50%, and a single solution with probability I /p. 

For each p, we are likely to have a uniq solution (A, A'). However, it is possible 
to have 0 or p solutions, but it is rare. So, for each solution (A, X'.fi), we can 
compute y in the system (3), then x. Finally, we have zero or two solutions x in 
almost all cases. 

3.5 Reduction of the Function FFT 

To sum up, we have a function /r such that for a given abc : 

f R (abc) - {D(x)[8, 10]; £[5. 7] = abc A C{x)[ll : 15] = R) 

fn(abc) is a list of 0 or 2 D(x)[8, 10] for each x such that x[b. 7] = abc and 
C(x)[ll, 15] = R. The average of number of x is 1, so Jr is almost a function. 

The function f R is a kind of reduction of F FT since a collision for f R gives 
a collision for FFT. We can use the birthday paradox with fa to get some 
collision. The expected complexity is 0 ( 2 24 ). 

We can invert FFT with f R to. If we are looking for x such that D[x)[6. 15] = 
z, we can compute R = Rec -1 (r)[ll, 15] and look for abc such that frt(abc) — 
^[0,2]. The complexity is 2 4S . Then, we get the x required. 

4 Finding Collisions with the Birthday Paradox 

If we suppose that /r is like a real random function, the probability that a set 
{/fl(^i)} for k different X{ have k elements is next to : 

e 2 » 

where n is the cardinality of the image of f R . when k is next to y/n. So. with 
n = 2 4S and Jfe = 3.2 24 . the probability is 1%. 

Two collisions have been found in 24 hours by a SUN4 workstation with 
k — 3.2 24 different x. With the choice : 

R - 5726 17/c 6115 cocO a631 

We got : 

FFT(l7b3 2755 4e52 6915 2218 1948 00a8 0002) = 
FFT(9c7Q 504e 834c 615c /404 94e2 02a7 0002) = 
0851 393d 37c9 66e3 J809 cf806 5e8c 0568 

and : 

FFT(8ccc 23a4 086a! /669 85/4 7062 029e 0002) = 
FFT(9db'i 45ae 3286 adal 8c77 9877 0264 0002) = 
lOeo 49/5 9d/0 d9lb 0450 a fee fbaA 2063 
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Conclusion 

The main weakness of FFT-Hash-II are described in section 2. First, the begin- 
ning of the computation depends on too few information of the input : B(x)[0, 7] 
is a function of x[5, 7]. Second, the output allows to compute too much informa- 
tion of the computations in FFT : D{x)[8, 15] allows to compute C(x)[ll. 15]. 
The connection between B(x) and C(x) is linear, this makes our attack possible. 

To get rid of the first weakness, we might mix H 0 and x in A(x) before 
applying Rec. Similarly, the result of < Hq,x > should be the set of D(x)2i+i 
instead of the right side. 
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